11241100x80000000000000002528619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:14.459{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:14.459{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02E12FB03EF6112CDFB4D6CA318B771,SHA256=39101A4D17F0DF69EDDF5380FFD30358E7F204524603D3F117E9D54738E2B94Efalsefalse - insufficient disk space 354300x80000000000000001563209Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:08.509{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22331-false10.0.1.12-8000- 23542300x80000000000000001563208Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.293{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12A581DEA0EF46B6F8EB41C0C06E082,SHA256=F6904FBC2EC53CBBB778D10A1E27CE6F60AB97770FE7B81CC11AC8EABC32D27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563207Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.035{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A07469E95D5DF2F9DD7629F72E0698E,SHA256=3BA8060D44DBBDC2ED6A08CBD3912ED698BCA8BA130040E74665EB70FCABBCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563206Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.034{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=318881E3FB7B327C08B35385F4E0E9B5,SHA256=67A6DD431B1E675B54B5D9D9C5CCF78BA1887F9B551B850B47EAB31FB356E793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563205Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563204Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:15.597{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:15.597{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC0767092394783A37306EE1F326F38,SHA256=786B33A33CE181C4E64E9F321A77BE666858D4C9326D3A2A2C10083942EA15E7falsefalse - insufficient disk space 23542300x80000000000000001563212Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:15.295{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2723E0B9B40C156B38FEA55AC54F074A,SHA256=3B0A8253701A131CC71D9B5CC7DEBC3569F36166BE6180BB1E0694B009E059F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563211Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:15.014{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563210Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:15.014{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563219Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.453{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\datareporting\aborted-session-pingMD5=8B812D9BF33B59E9BDB7430A29B4EAA9,SHA256=C1B6913753AB0743E0964E37796E045CD2AD4E6B1BE650DA69BF997FF53DD63C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563218Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.406{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001563217Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.405{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563216Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.405{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10998561.TMPMD5=FD9CA3B752C969255F9013E45601E2FF,SHA256=6B542E6C346BCD00B0E9E5182F5689C44912608F9BE79EE9E779CD8B01144944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563215Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.307{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036AB7B7FB5EC64B98012423CEA84037,SHA256=F0523BC053E7D035D70977172112A03E5F5F7C5A2253122EBE4146E6AC0D21CF,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002528681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.869{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002528680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.869{21761711-C16C-6081-B487-00000000BB01}17041708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.869{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.869{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002528677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002528673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002528671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002528666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002528651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002528639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002528634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.716{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002528625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.599{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.599{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E274AA854F2EC8B366EB67AB187AB10A,SHA256=454CD45870F54132D98562E39E72172AC029BB6E7D12A524794C4435BD2144D2falsefalse - insufficient disk space 11241100x80000000000000002528623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.064{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.064{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2713D9E25D98900875169AD5337508,SHA256=2808D602A32CC18CE69DEDB2A811E91B4DD8C5C0089CA57CD64E79F35DD215AAfalsefalse - insufficient disk space 10341000x80000000000000001563214Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.015{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563213Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.015{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.802{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.802{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5701E5358FC0AD189C815F4F147C6951,SHA256=56BCEB3C683B289615A20E1B97ED18F7E523212ECC58EFEA703B01DD4DE6A6ACfalsefalse - insufficient disk space 11241100x80000000000000002528746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.802{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.802{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36C264BE7D0ADD717614A36FF52143ED,SHA256=9290786DF97D04DA1F4A1CD57A9A5F84BBBE0516074F7EACD3EF2DFA42B7AEA8falsefalse - insufficient disk space 354300x80000000000000001563225Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:12.112{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22332-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563224Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.675{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A07469E95D5DF2F9DD7629F72E0698E,SHA256=3BA8060D44DBBDC2ED6A08CBD3912ED698BCA8BA130040E74665EB70FCABBCF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563223Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.396{761B69BB-818C-607D-0D00-00000000BA01}9046508C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563222Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.311{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7DF28ACB1348D47F9F2D9E197002AE,SHA256=E3487E7F57F577C20E512AF4556F6B84CBAD79EE43DC8D8465470E698C84317F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002528744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:14.530{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50720-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000002528743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.571{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002528742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.571{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002528741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.571{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.571{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002528739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.466{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.466{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA05EA4D6ACD919A8BA4A1661450E3CD,SHA256=A2EF6C2872EE13D0008DB86969AB9EC1A01A1D4E847237463B043AFB2B0638D1falsefalse - insufficient disk space 734700x80000000000000002528737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002528733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002528731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002528726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002528705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002528703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 10341000x80000000000000001563221Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563220Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002528700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002528699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002528698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002528695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002528690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.418{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000002528863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002528862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002528861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}72284540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002528858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.905{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.905{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF51C6C960D56B1CCAC0B7CA4443A53,SHA256=1292F763C85F19F2970DA1ABD6F94CBA238EA0D740966A3C0BC42F589791CB0Cfalsefalse - insufficient disk space 734700x80000000000000002528856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.820{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002528852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002528850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002528836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002528820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002528818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002528813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.790{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563228Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:18.321{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B3E789A85AB07896AA7AB93A828181,SHA256=9FC4E015390824A468628C51F06EC2E962A46684DAECBC22FB338044BD21478A,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000002528810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000002528804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.272{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.272{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002528802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.272{21761711-C16E-6081-B687-00000000BB01}42806100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.271{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.271{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002528799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.150{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002528778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002528762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002528757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.119{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001563227Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:18.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563226Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:18.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.871{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.870{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7A990A312252FC916A3613E9E296C6,SHA256=42DE053E8E41D9F32E4135BD824259990EB6CB31E7E6563AE921831333CDB14Efalsefalse - insufficient disk space 354300x80000000000000001563233Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:13.638{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22333-false10.0.1.12-8000- 23542300x80000000000000001563232Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.338{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC535C4666652B4D7A9C4F0913970B6,SHA256=01CFE05CB56183CB35AECBF731B3FFB9D3F0933116D765DA872D41789DFCA9C8,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002528923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.622{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002528922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.622{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002528921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.622{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.622{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002528919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.522{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.522{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A38CEF5B53B9799D23FAAF2DE0D837,SHA256=565633708017445475EC2191CE4F5049B7600A381DE721B510096196CCFCACBFfalsefalse - insufficient disk space 734700x80000000000000002528917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002528913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002528911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002528903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002528883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002528879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002528874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.470{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002528865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.253{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.253{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1080763B72D74BCBD65671C4D84C6D1,SHA256=08B89B5010488C6978AE0BB67F528E4DF6CB983676FD3760B57D7544A17FE580falsefalse - insufficient disk space 23542300x80000000000000001563231Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.144{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91BEB768064EED2957EF00F53FE84250,SHA256=7299D38FF899064684B60C5B99FC225C38677F7ED2B7203C67745192826BB5FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563230Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563229Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.994{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.994{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4DE4D4EE21B8EBBB63AADE77759768,SHA256=B2F5C9AC1826314FEDAC1C5606B879873FED18F67BAEEAEBA8236149328CAD0Efalsefalse - insufficient disk space 23542300x80000000000000001563236Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:20.341{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9830202D5F60A8A9FE794DF99C343E3,SHA256=8E55EF419EA39584C03635A089CB68A07DC33F09253FACDE238DCBFFE5E04801,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002528983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.509{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.509{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=280AE5D0A952DE583B03647D7A58A472,SHA256=FDB5CFE2BC3B1ECADC05C1843D881165438FDCB9FC03B16BD25A16AC2B7BF279falsefalse - insufficient disk space 534500x80000000000000002528981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.293{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.277{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002528979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.277{21761711-C170-6081-B987-00000000BB01}33561528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.277{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.277{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002528976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.172{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.170{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.170{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002528956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002528939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002528934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.140{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001563235Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:20.018{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563234Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:20.018{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563239Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:21.350{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C644F88E421C26342F8524D93A82D9,SHA256=1452344ED2177CB291DF7F0EAF73A083ED75393520B0C87F0B14D94510011840,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002528986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.542{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50721-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001563238Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:21.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563237Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:21.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563242Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:22.361{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E6176014F828884A661172C0194436,SHA256=F02460EDF3787EF48D621D3D4BF8775803E097D92D5E2BFDFFB3390695F132BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002528988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:21.997{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:21.997{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BA6D60DDE0AF50DC4E4FF0B9FBC00F,SHA256=F1F49651C0B566C0E64E336FFCF0014BF33001C8C3516DF129AADDA0CCB51C5Efalsefalse - insufficient disk space 10341000x80000000000000001563241Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:22.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563240Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:22.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563246Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:23.367{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCB4AA2BD73083F751BAD7A3283744E,SHA256=A567C5FD30C4CF0A14002AF24743C4C9B27D7A647C70997EE6021D56F02D568E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002528990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:23.015{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:23.015{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95D19EF5BC175A464B43EBAA88F2B4F,SHA256=580DE4D116F9CEA44FE97C2239AC5C22F862E69DC07AAD742A14AD677C40EA00falsefalse - insufficient disk space 23542300x80000000000000001563245Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:23.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=995FF0F1117EBD7B7D47B7A09420999F,SHA256=C7C6742BCEE023C902A4D7B9975D553B0E597ABE9B8F986E2DE8748090EB7A65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563244Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:23.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563243Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:23.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563250Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:24.377{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBB2C3FC0CBE720930985A286CDC1BF,SHA256=617285D13B9A903D7D4DD33B2A15CF516F6DA4A08EE6CC303573EFFE188EDB54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002528994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:24.704{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000002528993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:24.704{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2F9EE2F078CFB1235F62420F463F7A37,SHA256=93B565EEF49E88801085BC5FEC3EBE963FAE8DB99D98B9A2B815AC8065BC0D06falsefalse - insufficient disk space 11241100x80000000000000002528992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:24.033{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:24.033{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D7C6B3AF9499C03582F1C027E8264C,SHA256=0B07B9C1D6D19F5B6409F034778A9B07D5E0C591F798C8BFC3D05D685987F487falsefalse - insufficient disk space 354300x80000000000000001563249Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.691{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22334-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563248Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:24.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563247Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:24.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:25.051{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:25.051{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5504B8DDB32525BAF32CCC008F8553,SHA256=DBF3FB087D2B75BB539390BE653F42707DA3599A6CA40F67CC7F700FA4D63935falsefalse - insufficient disk space 23542300x80000000000000001563254Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.396{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121342FF81681D40FE5EBF16CBBF9029,SHA256=9641D9F80F3573168480C70C6E833BC129247B7C74E1728802C2675E5E88B826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563253Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.035{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28FBA022267CFC10B790DB8E1060A148,SHA256=89478EB6CE642DA2BB89388D4C3E3DAF7C12D007BF67D5F0E1699CEBBFFBDF17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563252Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.022{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563251Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.022{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:26.054{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:26.054{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4CD3D9A696FF27C7FA92FE98AD2DD2,SHA256=2F97015C0A9E7BD962C93C1A9BE919364777AC99688DE31D8BF7506F14C981F5falsefalse - insufficient disk space 23542300x80000000000000001563258Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:26.400{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E47AEE055535FFF8E8B4589DA8B0FAC,SHA256=B136CD7F0507668FE058CE9743AC4D18A65C594E8DFC79AA1F9808B787EDFA26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563257Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.535{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22335-false10.0.1.12-8000- 10341000x80000000000000001563256Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:26.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563255Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:26.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563261Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:27.408{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DFE0361338ED26ABACA271C9DA7A5D,SHA256=361B79887D3A52E26DEA81FEAE3BA8CC4E78F8A360F62FA417DBA21EF34E05F8,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:33:27.773{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000002529005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:25.556{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50722-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 11241100x80000000000000002529003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A969F631A8607F63D89E163F56659D00,SHA256=30A96500D771052D0B5C6B625C67400BD3303489C6D2FBE31B2ADC1BF42DC412falsefalse - insufficient disk space 23542300x80000000000000002529001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A9BE6BA7B5AB9B483842C244826D18,SHA256=CE4BBDABCE39AA6B86E0EAC544686B9A6A6BAC684CC44E45C4B2A56222172272falsefalse - insufficient disk space 11241100x80000000000000002529000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D76A502E6BE657BF0CDE5754E8933F2C,SHA256=1123FBA1395ED3515A670BFAD3193A1460A78A963BAC1BB7FB6F24CAEC4C1AD5falsefalse - insufficient disk space 10341000x80000000000000001563260Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:27.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563259Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:27.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563264Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:28.421{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F503B9FE10AAB41735A9691382131C,SHA256=D05E6029AF59DA13C0B1A5661881945D9258C24A41581CB45A04B1E53E0F9B5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:28.894{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:28.894{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A969F631A8607F63D89E163F56659D00,SHA256=30A96500D771052D0B5C6B625C67400BD3303489C6D2FBE31B2ADC1BF42DC412falsefalse - insufficient disk space 11241100x80000000000000002529008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:28.127{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:28.127{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D801D501C2CE8B051A8B2309FD6217,SHA256=CEF175F9646B8C3676D7E437FC3EC21A785E7361325876E92AD6E055AF7C1FA6falsefalse - insufficient disk space 10341000x80000000000000001563263Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:28.024{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563262Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:28.024{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563267Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:29.426{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6368275AC34575B10A4B1CFAC36B337B,SHA256=16A00D738A25D97812D93025BA3C41DEB829ED127A48B9728AF9F49ADB599F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.246{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50724-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002529013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.242{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50723-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002529012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:29.161{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:29.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A4F319DB29952B8F806F26AC30AF94,SHA256=20FA630D696DDEA5FD274FAF68BA557FC5FF2481B26DD5A3287D4E31F021F8F9falsefalse - insufficient disk space 10341000x80000000000000001563266Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:29.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563265Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:29.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563272Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.435{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A423FC2AA22803ABFBF145A605708953,SHA256=C776980B3538A9F4DFEB5BBAC997655A1CB2AA4EC515E10F89A917988B4A21DC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:30.197{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:30.197{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A5721EB51DF983D344CEDD5DA727F0,SHA256=9FCA8ECFA2098D482BBA93B442BFF727D19E2A20A50547F6A14F979C6C5DFC87falsefalse - insufficient disk space 23542300x80000000000000001563271Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.166{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDCF91A7EA49D439BF3A03139A4B5811,SHA256=D000F6EA649C1698016587435495227875F70D8A1CF644F67496D67B85B5E25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563270Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.165{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65FD28C802B14C6217BBFA96E687C763,SHA256=093A56FD94570A89ACC15173C55E77EE02395F0153D6CCE868FD2273D9D3B8B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563269Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563268Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:31.219{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:31.219{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F72E63CE1D650C210E70F310E4A55D0,SHA256=23EE65B6E7ED2AD2A1146ECCF49AAB9CF0D5A17C4E75931D88F52F1275DD644Cfalsefalse - insufficient disk space 23542300x80000000000000001563277Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:31.440{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5890143C0825A04C41EF7BD91D55C5,SHA256=9169E3551F28ADF322142BD239F0C764D08F4D32555706B5A1E2C60669E563F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563276Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:31.195{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDCF91A7EA49D439BF3A03139A4B5811,SHA256=D000F6EA649C1698016587435495227875F70D8A1CF644F67496D67B85B5E25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563275Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:24.666{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22336-false10.0.1.12-8000- 10341000x80000000000000001563274Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:31.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563273Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:31.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563282Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:32.447{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50005291A76914FE4E4C35BDBD72587B,SHA256=0AB1C8A0DACDAC9AB0EB68A2F77E7F595C7F92EE588EF079E894108BF8F57A94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:30.569{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50725-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:32.222{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:32.222{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4D06D3C443F91D5ECDA1F84BF2B7B3,SHA256=B8E1586AFA348600D53CA9838AE334A48DE76B5796644580609D1D1A7E7BAD7Dfalsefalse - insufficient disk space 11241100x80000000000000002529020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:32.137{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:32.137{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EDE6FD13A352DEC9D8F765708F90308,SHA256=EE0A4B68CC05AC7FD10F12A9F99327092F5687782AA07AA566779B05E0F2F2F1falsefalse - insufficient disk space 354300x80000000000000001563281Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.688{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22337-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001563280Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.688{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22337-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 10341000x80000000000000001563279Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:32.027{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563278Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:32.027{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563285Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:33.456{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2A1F9DA56552BCA4A0701CDCFF75DE,SHA256=50F1421C773E08DE8A0E1E545B5A46E02B2FE2143ED91D1CBC75B848BD9A100A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:33.224{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:33.224{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1740F0F09E64CCF70A8A394213FCBB4A,SHA256=2CF44C0F8CEE6546DF44CBC3FFABB4A599ED0281C8714E4B342B47B62B43D62Afalsefalse - insufficient disk space 10341000x80000000000000001563284Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:33.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563283Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:33.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563289Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:34.876{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028430C3E74403ED189590BA9C0A303B,SHA256=30B5BB517203AA8BB756A5F9FE710F3EF0FE6E1A182AD098B183831A7C2F8080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563288Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:34.479{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6472E8FC2EE15255A6A9445A7182BA,SHA256=323A60ABE679C4F552D3C9550C3D29C8EFFB6A8E716DA4527F7A5BB4D58B8434,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:34.227{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:34.227{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D006A4EDD7CDDA10E30CCD7566856F,SHA256=E6886AAC5D0E1718769E8FE5B56EFE00A29128DAC16A964CCE505D6A15FB348Efalsefalse - insufficient disk space 10341000x80000000000000001563287Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:34.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563286Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:34.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:35.376{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:35.376{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DAD4D0B791EE000AE1D9F91C9CA451,SHA256=2E7B7389232649EDE677CC5C152384A2897A1A8D240C2CEF7D70250164ED9015falsefalse - insufficient disk space 23542300x80000000000000001563292Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:35.494{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC46DEDC038F5124252FD308EACCAAB9,SHA256=52EBA82A208478BFFB653E60CB8C6C7CA07BD501FEF6ABB41DFA93827CCB706C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563291Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:35.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563290Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:35.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:36.612{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:36.612{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3D1ABF6B0C108CB6E84D349E633DE5,SHA256=B332A6C3D6507300BBF910E096391FF1DB83577C563E11FFA3252F85D5B365CBfalsefalse - insufficient disk space 23542300x80000000000000001563296Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:36.507{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04FD83216EC3F78A087395915C6AD38,SHA256=026EAF60FA85208037E2453F1F11D9A4217D09A331E969F476541B9207A62A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563295Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:36.092{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8F82FCC15675F28F9D097543CEDF6E,SHA256=8EFA3DF7B7E7BAFE378AE504449EF5ED9736F882B382B38C3D86B4272A455D0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563294Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:36.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563293Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:36.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:35.580{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50726-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.634{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.634{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669FA8868CD31DA8C7FCB503CDFE6D44,SHA256=C51AC6F5D2189B8481E851E90008C254C8B22FE8652281C5541FD9C575FA37F2falsefalse - insufficient disk space 23542300x80000000000000001563300Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:37.512{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57B855628FE51C0C09800F06D1C28D7,SHA256=75400F633E4ABAD34BED0C93439F1962563CD43D2D7265B90915650B2C181EC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.182{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.182{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E2FDA5BF1EA27EDCE0EF99E07B994A,SHA256=270638BE296FC912B1091A6349A5F8A65722C77381D7C801F195C54711A91365falsefalse - insufficient disk space 11241100x80000000000000002529033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.182{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.182{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3197FD0F2AF39F102EAD44353E8A177A,SHA256=D362FCDE2CFBCC3ACE7611538A187267C5788B24A12176D170463A12DE6EE57Ffalsefalse - insufficient disk space 354300x80000000000000001563299Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.575{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22338-false10.0.1.12-8000- 10341000x80000000000000001563298Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:37.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563297Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:37.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:38.768{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:38.768{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592F3D12A30403C0FE8DB86A01DAA769,SHA256=784853232BE95CCF69DD0D4703AA58C35E22C016826B46689513EC9CAA71C56Cfalsefalse - insufficient disk space 23542300x80000000000000001563303Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:38.518{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8435B755724987A171C7B29818843FCF,SHA256=73135C3BA5AF5E0BC638F9051AF491824899FB6139ACF4ED794D0139B738A812,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563302Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:38.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563301Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:38.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:39.955{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:39.955{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD6F21288CC2A86A2ACE1D541B81684,SHA256=F113D7EA606BC7D6100FA5AA7CD8B378EE0A7C550206164E468A30EABEF6D2AAfalsefalse - insufficient disk space 23542300x80000000000000001563306Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:39.521{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CF83FF0643B8AEC7C03B23A59DAE31,SHA256=B4AE8820329B82BDE0DBAB4D31E3B8092C7C6C3384524D5DB4515DC97E1A7218,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563305Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:39.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563304Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:39.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:40.958{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:40.958{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53BA495317E8B3022EC40BBAE6462D3,SHA256=0EC504B779B57E8BE86AE1EC381AC28ADAEA58DA57A049BB59C9F1A82D4541D5falsefalse - insufficient disk space 23542300x80000000000000001563309Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:40.529{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02130AC3DA9BAA7CB3E03A41823F987,SHA256=806A17B7ABFAA98D5CD666603B4BE8DD2654DA1D9779C28479B38A94FDA526E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563308Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:40.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563307Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:40.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:41.960{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:41.960{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAD0A11D31365011EBF118719E3BF42,SHA256=B9CFB772743CC6193B400D80968641943E950E0B6B97DC762E033B8AF85D2985falsefalse - insufficient disk space 23542300x80000000000000001563314Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.552{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6E9516E6ADD6A872B84365CA32F4C7,SHA256=2E1E4EDCB0D3A6DBF36F2300FB3D6EC4DFF6370B317196F4024DFD874C9124FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563313Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.214{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F67D1A0EAC7870437EC8E36657F4BD2,SHA256=2696FF3527C6F9FAE5B295D1FD16130285C019B0F5F60760A521D44FB5BA2689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563312Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.213{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C42E6F4BC1FA6ABDA6615F2362A6AC12,SHA256=12F102A9340B1EE293B7E1575301085E65BC6D96C56501395F228DBE743652B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563311Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563310Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563318Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:42.558{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFA90F7232B4B60755E6DCF8ABB2341,SHA256=7991FA1DAE858AEF5C057683C5502E46C08F6C22572BE05C9DF69ECBAF875632,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563317Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:35.705{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22339-false10.0.1.12-8000- 10341000x80000000000000001563316Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:42.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563315Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:42.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563321Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:43.561{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5395A8E2E6543878784F68C882593CB,SHA256=50BFDB0C06E0A05DFA1FCB3A2D5CADDD6AD665051514C6161CF39005098403F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:41.613{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50727-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.695{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002529053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.695{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000002529052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.263{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.263{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=173DEBF31B8CA2D900D9121C2A611BED,SHA256=361FC2706C866DACF5C017421A747158D0A58AB3E1CBECEFC15869E236FD8436falsefalse - insufficient disk space 11241100x80000000000000002529050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.263{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.263{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E2FDA5BF1EA27EDCE0EF99E07B994A,SHA256=270638BE296FC912B1091A6349A5F8A65722C77381D7C801F195C54711A91365falsefalse - insufficient disk space 11241100x80000000000000002529048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.028{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.028{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B61857662FBDC8AD993C886ACF76764,SHA256=5275A34A47E81E84F421D899CF2C8C46B6ED4E4089D2B2D2D92D3CF4543CE321falsefalse - insufficient disk space 10341000x80000000000000001563320Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:43.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563319Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:43.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563325Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:44.568{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D485BBE8810F323769A20333A0484E5F,SHA256=9277570940F7D8FE0E3E029FCCFCEEC7DD12AFB8E27064CE7560E21165841157,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.148{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50728-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000002529059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:44.682{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:44.682{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=173DEBF31B8CA2D900D9121C2A611BED,SHA256=361FC2706C866DACF5C017421A747158D0A58AB3E1CBECEFC15869E236FD8436falsefalse - insufficient disk space 11241100x80000000000000002529057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:44.065{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:44.065{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CA07CC0E2BD86B04ACC09728249A0C,SHA256=95B1971217278C2B00E672CE400935B23A11520A45ACBAFAF77A5205CC0CF089falsefalse - insufficient disk space 23542300x80000000000000001563324Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:44.359{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F67D1A0EAC7870437EC8E36657F4BD2,SHA256=2696FF3527C6F9FAE5B295D1FD16130285C019B0F5F60760A521D44FB5BA2689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563323Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:44.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563322Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:44.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563329Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.577{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218B77671DC0F5703A1163C54E01A225,SHA256=11319BBF786575C512E82E5289032B9F8DB7D9218C0DA2240574D71E16E08B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002529107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.083{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.083{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA046B7C70F0DBE6EBDE96E0792F14D,SHA256=C8A3DC8AE3F8D4B1FA3A07C7BDAE32F22C9C02FFCED05D9FDCCA6D5C7CA1A71Afalsefalse - insufficient disk space 354300x80000000000000001563328Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:38.840{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22340-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563327Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563326Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:46.772{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:46.772{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F598A77FE0DD246ACFE32CDCF22692,SHA256=6C4FA4782BEA2281A376FBB50E108F9A94400D17747E46775783F932FF14DCA5falsefalse - insufficient disk space 23542300x80000000000000001563332Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.582{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A51D11BB78E00BE61B9C6332319C7C,SHA256=3D56EAEA8CDC5BB108220744B505AEC71E070273E7517A554E80044B9C8A3C90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563331Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563330Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002529113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:33:47.805{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002529112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:33:47.790{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:47.774{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:47.774{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082D435CF6BCD8868E9DC6C6CEB7CD81,SHA256=039EBAD47AAFC63903E79365C76696476D8A27274C586EB87BA2C4B45CC5F4DBfalsefalse - insufficient disk space 23542300x80000000000000001563336Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:47.585{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C6BE75D318DCB41E060A88973BBCBA,SHA256=2FA7421D645DA7B3E614F61B000103F8E29D07BE24AA529B283F8FF017FEF6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563335Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:47.115{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14117C3B388B1C121BEB0DFEFEF7DC0B,SHA256=A35D3133070A903E9F7175BC52F3210D9D3FAE67088ECC747300BB95EECB9F31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563334Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:47.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563333Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:47.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:48.792{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:48.792{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB316320042CC1817C0800AD0ED19B7,SHA256=5BCD265F5C55EB512F422C1A7C52643FB3321208CB22D0FCC878361E47AF2D7Dfalsefalse - insufficient disk space 23542300x80000000000000001563340Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:48.590{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEC01C3BF3420B4F531C4613B0D468F,SHA256=193BFC2EA328D5E656714E5EC194EB1C65085C062BADFBF5DDDA21C940F2CA0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:48.159{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:48.159{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=024DDC6FA9B140330910351549740533,SHA256=6ED84CDF105A4BF3AA991E5E52C9FBF0D23FACEE3F217FF377F8E863D6FA579Cfalsefalse - insufficient disk space 354300x80000000000000001563339Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.594{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22341-false10.0.1.12-8000- 10341000x80000000000000001563338Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:48.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563337Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:48.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:49.794{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:49.794{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFD603371311D1D8DBECDA1F5FAE826,SHA256=DE7BC18C6A5F0C244D4259AA97E6685E9154190CB6BD79D1B5DB84313EE0D895falsefalse - insufficient disk space 23542300x80000000000000001563343Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:49.596{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBD5C5DFEE8BF5AB58B5451926BA0CC,SHA256=7257AD16F7FBD8005BBF6D1ED32037C638BFB8A4E4BFCCE2BF8EA12078B8C294,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:47.274{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50731-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002529119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:47.259{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50730-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002529118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:46.625{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50729-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001563342Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:49.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563341Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:49.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:50.913{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:50.913{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55C0DA891D3F49B3DC25F17D77B6608,SHA256=127B5457C807146BD3586F262508E331EA7D173A37BCC34A53892919BA10B06Efalsefalse - insufficient disk space 23542300x80000000000000001563348Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.983{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EB358BA6FF4ADBA9B88D159614EEA3F,SHA256=43E41A744575D06AD0F51466B654E3A488B7518E90C60E3FDA7EACBC879CC0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563347Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.600{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85D3740C449054D5CD94AFAD139AB48,SHA256=CA85309488F41557B19FC6020BDA3BA7ECF083FC4C2E42F2B2EA2FBA01003E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563346Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563345Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563344Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.025{761B69BB-818A-607D-0B00-00000000BA01}6326220C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x80000000000000002529126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:51.984{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:51.984{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D463A6500DFCB64118F696A7AD6F0DA7,SHA256=6A92CD35BB2F1FECF9B49CCE77A7A8884775AE81E36E0BB0A6D3B4915AB9BC6Dfalsefalse - insufficient disk space 23542300x80000000000000001563366Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.612{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10835699C98F1ACA7C22755AE1AF5C66,SHA256=19D3218442A4D5C1C128231235AB49BF269A1F92076F755AF482280974619562,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563365Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.529{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22344-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001563364Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.529{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22344-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001563363Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.432{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local22343-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001563362Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.432{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22343-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001563361Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.425{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22342-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001563360Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.425{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22342-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 23542300x80000000000000001563359Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.159{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563358Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.159{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C18F-6081-2586-00000000BA01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563357Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563356Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563355Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563354Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563353Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-C18F-6081-2586-00000000BA01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563352Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.156{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C18F-6081-2586-00000000BA01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563351Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.155{761B69BB-C18F-6081-2586-00000000BA01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001563350Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563349Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:52.987{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:52.987{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC632DA4890B6D77ADD3794426AC20FE,SHA256=32727A245650ABD7FDC81CF02F02661B035EBAD10E3021EC1E8747684AD2707Afalsefalse - insufficient disk space 23542300x80000000000000001563371Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.618{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85A8A3144D6A341630FB50F134A01F9,SHA256=B7A93A41913592831171E4AD762A3F849AC1A33885129069C556A7320CF52CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563370Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.276{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7BBB92CBEE4C0159ADE46F446D29FEA5,SHA256=AE2107C5C9F24D9680B8F9F6578547741C30DB1615017DFE2A67E115E375D72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563369Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.162{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27AFF385E0CEEDE30F013E62CD4360BB,SHA256=27552C7AB164D2D02CC36242FE8311326684C13690CAA1E431001E0139DED97A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563368Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563367Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563376Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:53.629{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A588AA04EEC27D07E80825526C5F13,SHA256=30F2AAA8628DF2C72600EB52C5BFA598438A21B93F597387AB45AE7DA9FBD229,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:51.638{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50732-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:53.172{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:53.172{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EFC7638C0C3E3BD03A8399FC67C5A84,SHA256=58A85FEF11416BAE2EDB035D4EDE87B0C4974C3F1628F463EA92E8A22C0C0287falsefalse - insufficient disk space 11241100x80000000000000002529130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:53.172{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:53.172{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D80319EB92C037608838CC5A8B62287,SHA256=8F103984A0FB9C538D26FEA0E16277061E99683BD0DF8701905921203079CA68falsefalse - insufficient disk space 354300x80000000000000001563375Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.725{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22346-false10.0.1.12-8000- 354300x80000000000000001563374Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.659{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22345-false10.0.1.12-8089- 10341000x80000000000000001563373Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:53.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563372Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:53.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563379Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:54.633{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5AE6407BEC3831BDC7635376991A82,SHA256=BA599F789C77FED4A016987AB650BE072FB8A15FE7C03FC67295A61987AB0154,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:54.055{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:54.055{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55168588CE73C4B1FF9F6A55DE5E2446,SHA256=95DCAF6457B18D063EDB3E5359A761AA84D5B8321E02CB91136ACD1CF2CBD729falsefalse - insufficient disk space 10341000x80000000000000001563378Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:54.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563377Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:54.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563399Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.794{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C193-6081-2786-00000000BA01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563398Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.792{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563397Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.792{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563396Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.792{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563395Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.792{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563394Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.791{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C193-6081-2786-00000000BA01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563393Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.791{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C193-6081-2786-00000000BA01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563392Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.791{761B69BB-C193-6081-2786-00000000BA01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563391Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.641{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A91719716C692E38794B7B72BEEECAE,SHA256=0392A23E7E75699FB09F2A2A1ED9D5FC557659F11A27F58F435DD2DB9355A6F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:55.092{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:55.092{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ADD580251D6EA95C7E29E768AA8240,SHA256=CAC615CC56D98EED101A82DEFA463F4A06827E5B8DE2F32BD565366FCDC90661falsefalse - insufficient disk space 10341000x80000000000000001563390Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.259{761B69BB-C193-6081-2686-00000000BA01}4206872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563389Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.114{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C193-6081-2686-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563388Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.113{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563387Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.113{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563386Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.113{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563385Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.112{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563384Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.112{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-C193-6081-2686-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563383Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.112{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C193-6081-2686-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563382Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.111{761B69BB-C193-6081-2686-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001563381Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563380Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563412Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.674{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F17E309A1004075328508922E59944D,SHA256=4B8CF518CC31A5558BD856E997F203DC50FCB421712EAF0D725A39E2A66D1001,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:56.162{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:56.162{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6446E55EBCFA410D07C540A670635F03,SHA256=F16F239B2EFDB11447BD5B16D6A249B0F13FFA33A6D4146F98FFE94F6F37BED2falsefalse - insufficient disk space 10341000x80000000000000001563411Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.454{761B69BB-C194-6081-2886-00000000BA01}66366344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563410Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.321{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C194-6081-2886-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563409Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563408Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563407Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563406Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563405Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C194-6081-2886-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563404Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C194-6081-2886-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563403Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.318{761B69BB-C194-6081-2886-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563402Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.125{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45E72F0D196FE2F76548BC7FD8334838,SHA256=810F01A8146A8094FBC2897DD0859BA671457B7F801AE997562D6D9C555202C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563401Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563400Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563417Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:57.691{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5DCF0C08FC680812FA501211AB2FD5,SHA256=8FAD084E56275FDCBBF152A0E60455D0932B097DF5FC429AE98954E66FAAEFD7,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:33:57.814{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:57.166{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:57.166{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B11ABA9C66460DC13E920D3112CCC3,SHA256=F830BB65E25B3245A94E1E3E06FD2F2A84BEE4357140190D22CFB4A48FC17534falsefalse - insufficient disk space 23542300x80000000000000001563416Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:57.322{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0AD42148C5827584F19F6E7F74F3A9C,SHA256=F753428757BB9843A939D3D2C57E2C7C76E91AC7B0C2A10AE31E5494D4C7622E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563415Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.863{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22347-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563414Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:57.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563413Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:57.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563420Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:58.694{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09429017235684CF4681CEC15DD2B2E,SHA256=53E013FEC075D4F4ADCFE801BE3AE7D7E3B455D4EB8D7FD05B8BF20B507F485F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:58.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:58.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=508CA1950E40BAD7639BBF5484711C8A,SHA256=7FB8FE807B3074ED6555A43E1C9570804163CB0AAFFD6408D207676A5EF35F03falsefalse - insufficient disk space 11241100x80000000000000002529146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:58.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:58.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EFC7638C0C3E3BD03A8399FC67C5A84,SHA256=58A85FEF11416BAE2EDB035D4EDE87B0C4974C3F1628F463EA92E8A22C0C0287falsefalse - insufficient disk space 11241100x80000000000000002529144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:58.199{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:58.199{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EB39AD5938D890C80CBFD980E8DA5E,SHA256=0F1906AF9E7675ED1C1C37FE59220DD29E874479FEE363282D7C73F451CBB2C0falsefalse - insufficient disk space 10341000x80000000000000001563419Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:58.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563418Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:58.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563433Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.701{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D779ED4826342D0A6700EB72DCBC988A,SHA256=BB9FB02669D8EB631CD2A8BE7006499F6DAE0DCD167077BB09D4EB1B4FD56105,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:59.233{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:59.233{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEA43A36DA5A8BEB3437F8F6F308781,SHA256=84A0DC607CB137542C87414D04E5483BC75CB5875F1394E261ECE20F8E5DE7FCfalsefalse - insufficient disk space 10341000x80000000000000001563432Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.693{761B69BB-C197-6081-2986-00000000BA01}39645304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563431Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.558{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C197-6081-2986-00000000BA01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563430Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.557{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563429Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.557{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563428Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.557{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563427Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.556{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563426Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.556{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C197-6081-2986-00000000BA01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563425Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.556{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C197-6081-2986-00000000BA01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563424Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.555{761B69BB-C197-6081-2986-00000000BA01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001563423Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.630{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22348-false10.0.1.12-8000- 10341000x80000000000000001563422Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.044{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563421Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:59.044{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:57.283{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50733-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563453Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.886{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C198-6081-2B86-00000000BA01}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563452Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.884{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563451Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.884{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563450Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.884{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563449Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.884{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563448Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.884{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C198-6081-2B86-00000000BA01}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563447Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.884{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C198-6081-2B86-00000000BA01}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563446Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.883{761B69BB-C198-6081-2B86-00000000BA01}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563445Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.709{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC75632A65D97B65F2C77A1AB8B2880,SHA256=3629C98C0161CCAA46FF3C409921213B84109E4A61546A77FDFE1F7E0E8E772F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:00.235{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:00.235{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C6A1EB8924AF0989D92197C6AD9A4A,SHA256=80AF69E1351272687CE18D4EA8ED6183370FCD48EA44D83F5BE33643E84D4D46falsefalse - insufficient disk space 23542300x80000000000000001563444Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.559{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4747FD55B87E8D67F9CA6E4E20FAF16,SHA256=ACB4527F71E2CD45E56272F13AF5B1A9571828C38084FD0E7EB6C4D5697F3933,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563443Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.222{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C198-6081-2A86-00000000BA01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563442Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.221{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563441Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.221{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563440Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.221{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563439Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.221{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563438Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.220{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C198-6081-2A86-00000000BA01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563437Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.220{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C198-6081-2A86-00000000BA01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563436Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.219{761B69BB-C198-6081-2A86-00000000BA01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001563435Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563434Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:00.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:57.668{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50734-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001563458Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:01.781{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B2C76B2BFF54F88A65A957B55C2437C,SHA256=7CDD7291B5F47D1E865F483D5E178416F5158C5F80AC2F271FD916E22650EE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563457Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:01.715{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA8304F87772297988ACC466C8AAF4E,SHA256=DBEC5241EFB30AB44BCF3703DE547BD4E82F6CC69929CCEBF6D83A475CA4C5D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:01.238{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:01.238{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709EF6921863A62B7B47FDDABBE848F0,SHA256=775CDAC45C264A723FA59A4B244BF2D59A63BB94BE6AB7C623F259F920CC0ED8falsefalse - insufficient disk space 10341000x80000000000000001563456Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:01.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563455Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:01.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563454Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:01.029{761B69BB-C198-6081-2B86-00000000BA01}57885036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563461Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:02.717{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3553657DE0F6130CF4B3650FA9552270,SHA256=C82262C0342CAA3AEDCC3A2CE5377631D2C0878EFB4C55B05030C519C22BAF59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:02.240{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:02.240{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA0B049A688CF8815119719C2C4E1F5,SHA256=F2AD2D62E055C8243059C6756CAE03DD393FF694F9665979B2C2D354380FF616falsefalse - insufficient disk space 10341000x80000000000000001563460Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:02.047{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563459Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:02.047{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563464Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:03.721{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116E4914CDB18BF38D340DF6F5A8726D,SHA256=E74C363A12213B26378902FB5376F0E008A761012AFC85E4C4193076E7A2B78E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:03.276{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:03.276{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E78316846CFFCD6E5B3559EDC8FFA54,SHA256=412BC4069E5F2F6D74CD5CCB6993AA371A6581866F748A0329C9F1F1C65A9B28falsefalse - insufficient disk space 10341000x80000000000000001563463Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:03.047{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563462Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:03.047{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563468Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:04.727{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D737292B943C2B93BC397F8CCE965C6,SHA256=BAC48AD7A69D67C7F5E388E920E30BCD9BB800E2566382A6435F534587C312A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:04.330{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:04.330{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B4AD719A058DDCCE416A66D532B0CD,SHA256=FBD4729BB3435CBF914723A03E2A102F353F6ABB55F2A099BD28F808C2B447EAfalsefalse - insufficient disk space 10341000x80000000000000001563467Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:04.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563466Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:04.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563465Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:04.033{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF2EBBBAC5AE8491A71067A53EB1B6C1,SHA256=432941590415336CE1839CB371A645F9EC124BF676DB10A71AF975E4612BDAEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:04.230{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:04.230{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD64F46C54697E47CADAA714B16D9E9D,SHA256=331AC6151CD3585C81E90CE599084AFC045584902125E6332CBEBD9C44E40C60falsefalse - insufficient disk space 11241100x80000000000000002529162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:04.230{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:04.230{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=508CA1950E40BAD7639BBF5484711C8A,SHA256=7FB8FE807B3074ED6555A43E1C9570804163CB0AAFFD6408D207676A5EF35F03falsefalse - insufficient disk space 23542300x80000000000000001563472Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:05.732{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7466AB95DDC38453E8A13C2528D46DC8,SHA256=F62C57194F6C11A357AE0F75EB4D9DFFE4DADD73C6E99B93FA1E1753EDEEF98F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:05.364{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:05.364{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4840E948A9F8E15B52979073F2A403,SHA256=DCF18EDFD9458E6E3574A5DCFCA17239F94F2088C6FA9A58527303748548AF30falsefalse - insufficient disk space 354300x80000000000000001563471Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:58.511{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22349-false10.0.1.12-8000- 10341000x80000000000000001563470Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:05.049{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563469Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:05.049{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:02.680{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50735-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001563475Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:06.739{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F619B500D9FC4E9101367735F8EA6921,SHA256=1DA1AB81E1B032DFC77D443938062BFBFDF5259EA521E65D93B67A6250BACBC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:06.366{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:06.366{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C483869ADF92CC0FCA1434A1A4A575BE,SHA256=6CA45E579DD9992906032C2546098315354B93570C7F0825287623EB0542B3A1falsefalse - insufficient disk space 10341000x80000000000000001563474Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:06.050{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563473Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:06.050{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002529170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:06.250{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 10341000x80000000000000001563482Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:07.909{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563481Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:07.909{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563480Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:07.909{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563479Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:07.746{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7029416A81690EC49F1D11B95CB44C88,SHA256=7D3219EDD7DF2004897BCFBD351949FDCDEE8D0ED5BDF2ACE6356D266E45FC2D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:07.823{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002529177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:07.807{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:07.368{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:07.368{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFD23AE105AF0632AC8DC33AFE4F578,SHA256=B4144D23291ADD100F67DC370A804575225B86BDB5983E8669680C1DF7F15D65falsefalse - insufficient disk space 23542300x80000000000000001563478Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:07.269{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEEA93EF0DD42D4068A801F51864A36B,SHA256=8E21A61FB4BA371656E69E942E122D17EC0616FB0CEDEB5EEF4E435864D6DE33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563477Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:07.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563476Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:07.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:07.253{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:07.253{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD64F46C54697E47CADAA714B16D9E9D,SHA256=331AC6151CD3585C81E90CE599084AFC045584902125E6332CBEBD9C44E40C60falsefalse - insufficient disk space 23542300x80000000000000001563487Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:08.751{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6E3B4DFCF0E0A53505C097E783C36C,SHA256=FF71FB46B101A97C54E6D1AA5B6160D4CF4573DDEF2DA34FBC4DA5757BD2F327,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:08.810{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:08.810{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C00266E0C445C5DF961F7D4382AD92DD,SHA256=39CCDB7513C1378CDE9A10A5D5CF8B5266F41F12C643E504E079552754E66C0Ffalsefalse - insufficient disk space 11241100x80000000000000002529180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:08.371{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:08.371{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AC1193EEBF004FFDF7B6AEF3B9EDB7,SHA256=856FACA1B42828318E5969A1DA79B22DC3CFBD4F87A945DBD1D03BAFB6877079falsefalse - insufficient disk space 354300x80000000000000001563486Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:01.759{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58298- 354300x80000000000000001563485Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:01.759{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63173- 10341000x80000000000000001563484Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:08.052{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563483Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:08.052{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563491Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:09.753{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED288CE181C7E1DF2779F70D6D6A35A,SHA256=22017F2B293120598F990F743CF0D6D244DB24DBD30272AF192AD9E56439E29F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:09.373{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:09.373{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020373C0C54C484F7463DF35E14B63D5,SHA256=5AB5677597CE4D3100CEA0952D0E132343FB29555C1A79D83A04F97EB9AD0494falsefalse - insufficient disk space 23542300x80000000000000001563490Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:09.164{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB99E44F6F360DA82F2ACA7DE58F164,SHA256=EB1EA97E9B7B80B154FAF98FEF90FA7B18832E62E2A0E3E5DDF34DBBBB9FF941,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563489Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:09.052{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563488Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:09.052{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:07.276{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50736-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563495Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:10.757{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87C88A794C14F2E11DB7E5EFCD83EC7,SHA256=14248138EE5F09E2D652CF9DC508227088A8526837846304ACFAFDA378DDF560,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:10.376{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:10.376{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED84CF5B7507D4A3770F5A712EA2D869,SHA256=87813B0A012ACD12F43642A5B3AE46142E8FBBA4CF1316139439D76437A1D2F2falsefalse - insufficient disk space 354300x80000000000000001563494Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:03.655{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22350-false10.0.1.12-8000- 10341000x80000000000000001563493Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:10.053{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563492Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:10.053{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:07.708{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50738-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002529186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:07.291{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50737-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563498Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:11.764{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EE60BD0334F4CE349DC2A51B0D0E35,SHA256=8B101504C1815D6D84F87A5C73AC2F176BBE75FFB1CE0235048ADDE2B3CA1655,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:11.378{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:11.378{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20B98E275C1381D9F1515F6C822AD78,SHA256=D3DB4074091E6CF6EE5D09181695E227ED74D2256ABA1C41716C100CEC2E6F07falsefalse - insufficient disk space 10341000x80000000000000001563497Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:11.054{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563496Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:11.054{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563501Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:12.770{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A894FC4AD2DC2505999B778042550E4,SHA256=A3EBEDAA858C21CC93D51DB1CC636D2619C20C148A04AC77B71A3591D5B6D054,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.835{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.835{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C708292FEC818C267C8381B3267784,SHA256=53BDF9956BEB6759E75C7654B260E39C686A1298C64998CBD94A81CBAD6F7F13falsefalse - insufficient disk space 534500x80000000000000002529247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.503{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002529246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.503{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002529245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.503{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.502{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001563500Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:12.055{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563499Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:12.055{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.381{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002529239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002529237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002529222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002529218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002529206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002529205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002529200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.365{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:12.350{21761711-C1A4-6081-BA87-00000000BB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:12.349{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:12.349{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:12.349{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:12.349{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:12.349{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:12.349{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001563504Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:13.774{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E83C5E309AF5AB2A7AAFE3CF440FF5,SHA256=4DB79004442FB272E1CE92CB51491534A79C0230553F6A38A4A8D19A7A80D115,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:13.552{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:13.552{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E36655070DD0FA3833AB2904C49C324,SHA256=6D03B89434007ED548FC3CE905E800D68FDC7410F40475DCFDB08693AC9CDAB7falsefalse - insufficient disk space 10341000x80000000000000001563503Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:13.056{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563502Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:13.056{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:13.352{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:13.352{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E269BBEF386BEF53C6F50124DFE5F805,SHA256=963250A858E98F7348685659E91B0CD4D2DE11F0AE988F8025CE8352E0DD8534falsefalse - insufficient disk space 23542300x80000000000000001563507Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.779{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB074212A9CD79B19D1E8066C231670D,SHA256=E916BB20697A9CB29CAF75377F946FFA89548A6B870205F0E27E0B024BF3751E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:14.570{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:14.570{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE27B5EEAF58F3E6410A4EF78A942D22,SHA256=A0B68BC2F65C5269DA134F1C64310DE5EB375037DDBE1647AE6A16F3CE418806falsefalse - insufficient disk space 10341000x80000000000000001563506Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.057{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563505Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.057{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002529257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:14.370{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RF109239e3.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000002529256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:14.370{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RF109239e3.TMP2021-04-22 18:34:14.370 254200x80000000000000002529255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:14.370{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\grxil3wn.tmp2021-04-20 20:22:02.3742021-04-22 18:34:14.370 11241100x80000000000000002529254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:14.370{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\grxil3wn.tmp2021-04-22 18:34:14.370 23542300x80000000000000001563512Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:15.853{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D0C6D87B540D4098D3889FC7A07ED8,SHA256=242C2D621D3D70F32E16026394666B7841D2F7C8ED0A4D85C500DC4136180146,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:15.573{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:15.573{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEAC822E8316F82A576F77DB594FE899,SHA256=CA4CD85CD4F2731CEECDA3E02E372C3753D1CD429EA6C9F914E25B745F532741falsefalse - insufficient disk space 10341000x80000000000000001563511Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:15.058{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563510Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:15.058{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563509Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:15.040{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B91A770E91F9B650F10D6889CF45C7,SHA256=220B1C4C649EA1600FB89919781317F800ECF5860E443E0E6361EAB13096E0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563508Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:15.039{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=423D5E3766D4B0BA9A1950A728A4397C,SHA256=54AF401046767F57EA1D1A4CD62A0716DB84ED62DD40E28B3E1752EAA4181F22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:15.025{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:15.025{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E0C5EA4C4458BF167D4C467183423F,SHA256=09ABB332C89CA778FEDEA24E3F15F3A2D36FE897EDC954E374C80DE80F5207D7falsefalse - insufficient disk space 23542300x80000000000000001563517Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:16.859{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FC85AE29BBAC28F3905B9A4BF998C9,SHA256=B57F788BCCAE9A2313D6186712B834C09EA7752FB714D480802FDD0B2B10785C,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002529326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.876{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002529325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.876{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002529324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.876{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.876{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002529322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.760{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.760{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.760{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:16.760{21761711-C1A8-6081-BB87-00000000BB01}7692\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002529318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.760{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002529316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002529311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002529289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002529288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002529286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002529285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002529284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002529283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002529280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002529275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.745{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.730{21761711-C1A8-6081-BB87-00000000BB01}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:16.729{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:16.729{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:16.729{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:16.729{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:16.729{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:16.729{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002529266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.575{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:16.575{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30A1198AA5429972C759C8D2685A5A6,SHA256=729D08610AF41D854B5BE94C47E703253174FCF255600604C7A1CB430FC93B80falsefalse - insufficient disk space 23542300x80000000000000001563516Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:16.667{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B91A770E91F9B650F10D6889CF45C7,SHA256=220B1C4C649EA1600FB89919781317F800ECF5860E443E0E6361EAB13096E0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563515Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:09.538{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22351-false10.0.1.12-8000- 10341000x80000000000000001563514Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:16.058{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563513Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:16.058{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:13.472{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50739-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001563521Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:17.866{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD07CEB2402776A11913B9C6953EDCED,SHA256=7E11D47172FD1AC835DABF80B5FE05ECA5F7AC0498EEDE0F8820AB7C0B572F91,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002529441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002529437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002529435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002529420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002529417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 11241100x80000000000000002529416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000002529415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 23542300x80000000000000002529412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28583EB29C29FCC7D74C938A8474E5E5,SHA256=100B31A785E01F972B0886A7C4012446FD4F1EEED6A1FB93313B5C708F7399DEfalsefalse - insufficient disk space 734700x80000000000000002529411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002529403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.932{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002529401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.916{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.916{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.916{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.916{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.916{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002529396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.916{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.916{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.914{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.913{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:17.913{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.913{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:17.913{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.913{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:17.913{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002529387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.912{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.912{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CFC7879A12B36B1DF631B6B98D987B,SHA256=20B9363F0BD92639AA47C4DBA2167FFF6D05D6434621EBCB5DD30F6A9408AA51falsefalse - insufficient disk space 11241100x80000000000000002529385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.911{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.910{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88E2DC072314B54888F3B465D3FAD358,SHA256=90631DCBDF861A6A76E2B9159F211B6CC62E7C265034421DE83A53392EA40D14falsefalse - insufficient disk space 12241200x80000000000000002529383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:17.832{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000001563520Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:11.169{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22352-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563519Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:17.059{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563518Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:17.059{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002529382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.562{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.562{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002529380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.562{21761711-C1A9-6081-BC87-00000000BB01}58562604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.562{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.546{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002529377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.431{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002529358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002529354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002529340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002529335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.415{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.409{21761711-C1A9-6081-BC87-00000000BB01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.408{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:17.408{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.408{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:17.408{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:17.408{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:17.408{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001563527Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:18.872{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54536B6F35E069B2A4E4151708CED2B,SHA256=F407DD3E8F62E798D8F1E4CBBEA83546A2E12906C331FCB2118E970E46CACA57,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001563526Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:34:18.690{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x80000000000000001563525Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:34:18.687{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\59F158BB-F4A4-42E1-B81F-FD8310C406A3\Config SourceDWORD (0x00000001) 13241300x80000000000000001563524Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:34:18.687{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\59F158BB-F4A4-42E1-B81F-FD8310C406A3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_59F158BB-F4A4-42E1-B81F-FD8310C406A3.XML 10341000x80000000000000001563523Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:18.060{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563522Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:18.060{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002529502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.734{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002529501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.734{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002529500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.734{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.734{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002529498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.612{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.612{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.611{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002529494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002529492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002529482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002529468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002529464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002529460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002529455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.596{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.581{21761711-C1AA-6081-BE87-00000000BB01}8024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:18.580{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:18.580{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:18.580{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:18.580{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:18.580{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:18.580{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000002529446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.063{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002529445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.063{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002529444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.063{21761711-C1A9-6081-BD87-00000000BB01}39244572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.063{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.063{21761711-C1A9-6081-BD87-00000000BB01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001563531Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:19.878{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C119256D8B7E93FB733014D263454C,SHA256=7CC429517702191B869735B9A9CACFF793391DEAE528F0C1C3529D5FCB282182,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002529617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.984{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.984{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.984{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.984{21761711-C1AB-6081-C087-00000000BB01}3748\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002529613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.984{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002529611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002529606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002529593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002529591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002529579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002529574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.968{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.953{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.952{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:19.952{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.952{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:19.952{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.952{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:19.952{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000002529565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.420{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.420{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002529563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.420{21761711-C1AB-6081-BF87-00000000BB01}72325508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.420{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.419{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000002529560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:17.300{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50740-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 734700x80000000000000002529559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.298{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002529540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002529537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002529522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002529517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.282{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.267{21761711-C1AB-6081-BF87-00000000BB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.266{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:19.266{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.266{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:19.266{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:34:19.266{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:34:19.266{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002529508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.066{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.066{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DCF97A539F9EEADA3627461DB461D4,SHA256=77E91FC32D0F4897AC3CD402DB040B6753B4220983F0788474C67A868F7C0F3Afalsefalse - insufficient disk space 11241100x80000000000000002529506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.050{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.050{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E98677B6F72363241F7E5A29FD6C933,SHA256=5F0A1310CCF00C92148D3AB535529C7CBC5C83E40DA9924FC5746624686FA967falsefalse - insufficient disk space 11241100x80000000000000002529504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.050{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:19.050{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=541B120411DE22678C1E56A44CD9A6BF,SHA256=B62EAC70A07D965D03317842B4003C166052D228AE8D8CF95F1B8A5E09DAB8C8falsefalse - insufficient disk space 23542300x80000000000000001563530Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:19.685{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79D06D7CBDDD0369853878E842E923A2,SHA256=1EBEF89620CA5AC575D6BFA6DC191DD8E413839D39134D844B5BC08057156593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563529Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:19.061{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563528Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:19.061{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.269{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.269{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590B1C6DF20499477E74E7611EF13177,SHA256=FF0DCE35CB989693B6BE414B3519D399D966E358476D987AB32DB867ACCC8092falsefalse - insufficient disk space 11241100x80000000000000002529625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.238{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.238{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE5A26BFCD29D4CBACA8761084A16C9E,SHA256=8EEE76F84B1FA559925914BF658C2973D16404D93D9DF08FAF54422C5138F469falsefalse - insufficient disk space 11241100x80000000000000002529623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.238{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.238{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF5E07EB8EC1A3FCE0E2D4ED8EE93F7,SHA256=4741B84AE87F978DE720050FE155CD12A029D357A317434099553DCBAF335532falsefalse - insufficient disk space 534500x80000000000000002529621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.100{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002529620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.100{21761711-C1AB-6081-C087-00000000BB01}37484508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.100{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:20.100{21761711-C1AB-6081-C087-00000000BB01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001563537Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:20.882{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C430C19C42A1D67E7CA05E469C2CD068,SHA256=9C6FD293328733FE5A29DAFC4996F28CF963F94A534BE583D75DC850671747B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563536Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:20.684{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5616C331E72DCCD02EAD9A9F90516F5D,SHA256=B3F9F6ECBE8EE3C2759CBE073DECF2F31FBE6699D9F79B52E68211BE0FABEF35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563535Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.182{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22353-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001563534Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.182{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22353-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 10341000x80000000000000001563533Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:20.062{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563532Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:20.062{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563547Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:21.888{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D14472CD8A86374D66B48FFDCD17381,SHA256=2C7E2C9148E4ABBA4CE57D141EAA672E4730174E135E11C999796794DB70321B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:18.704{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:21.122{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:21.121{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A38D3474A1F7AA456694449C02C6F7,SHA256=5DC3A23BDB8E85E1E7568042016ED57E6B19EE9826FCBD11D21628498EF9377Efalsefalse - insufficient disk space 23542300x80000000000000001563546Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:21.746{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E684C086FBE942C74C8C58DEBD8E7A2,SHA256=C46222D6DCE4DA04E3CF99902419C481FDE8778A511B895AA888BFE55400C064,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563545Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:21.382{761B69BB-818C-607D-0D00-00000000BA01}9046508C:\Windows\system32\svchost.exe{761B69BB-84D2-607D-F802-00000000BA01}1484C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001563544Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.671{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22356-false10.0.1.12-8000- 354300x80000000000000001563543Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.201{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22355-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001563542Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.201{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22355-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001563541Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.196{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22354-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001563540Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:14.196{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22354-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 10341000x80000000000000001563539Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:21.063{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563538Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:21.063{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563550Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:22.892{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7694A125745CAD6F7D6E1576C6C64267,SHA256=BCF2843485B13CB30D5FA310E8D6D462FC9BF294F7CB460AD0A9A9E2487E5AE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:22.158{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:22.158{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FC1DABA1A1F5DAEBFCFC636682CD19,SHA256=18478A477553D9B34E11A8277C91AC3C10B2843A3B5C194DBC06BE1A9B035708falsefalse - insufficient disk space 10341000x80000000000000001563549Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:22.063{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563548Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:22.063{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563553Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:23.897{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7107BB464535BD10F6DAA23203C08FC,SHA256=46A041587E3E7A22738785939472601006EAE03C8097063364D3003FB15AB72A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:23.207{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:23.207{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3097BE5517041EA8B5ABF3BA6E54E657,SHA256=5EF70B12B7AB9074779D54DCD3B66F02B7D7377FB802BAE35E755FAF83AFE360falsefalse - insufficient disk space 10341000x80000000000000001563552Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:23.064{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563551Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:23.064{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563556Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:24.902{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFF0A9D87147097B224998CB2428398,SHA256=78065BF168A8AA5FB253675C8FEE32121CED1A77ED4BD735BD147132A5BE7FF4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:24.711{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000002529637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:24.711{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C8D664F1FCCDCAB92DCF0DCB9D7E6262,SHA256=F360F05EC37E1632627E0D7C91FE50B88A17065394CC60115B2DF849D3A63581falsefalse - insufficient disk space 11241100x80000000000000002529636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:24.227{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:24.227{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD42EC53AAF2CAD8A2475BC102EB042,SHA256=0675B9A1031A2671F61E66E9FFAB91DEF0DAB7E4DF9D3459BE20F221695EA935falsefalse - insufficient disk space 10341000x80000000000000001563555Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:24.065{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563554Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:24.065{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563560Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:25.910{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFBCC71739C9FAED9B4CB073AD76C34,SHA256=35B52712C009AE7A19CBBF7795875F642824337CB9554219BF4FF41CB1A2A52B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:25.265{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:25.265{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97C601E49CD4C48B6E86B105054FC53,SHA256=D6959E308BB0F9D5675BCBBA0F8F25634201326C7B288D72AE2E0EF18F362E4Ffalsefalse - insufficient disk space 23542300x80000000000000001563559Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:25.614{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6694999B5E3EC8C7CB2A64E9A36000C,SHA256=24033BCDF3BE07A691EA41BD32BDFAD06C65BEC0D30FDD6CCB698753E5A0059D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563558Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:25.066{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563557Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:25.066{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563564Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:26.913{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B49CCEB1F4BACE6C827A6930E1E0A06,SHA256=6FE4488F9F88F1DEDFACF2A4307FBC13266F26DC62CF6C9A71ABED61BAED7132,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:24.517{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:26.314{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:26.314{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7481524A03B08EEB9E5C9247ADFCE222,SHA256=BD289A0BC9CD8B91580D7FF66E45E0AEF3CABA7A15D1481F7F21E6486D4790EBfalsefalse - insufficient disk space 354300x80000000000000001563563Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:20.559{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22357-false10.0.1.12-8000- 10341000x80000000000000001563562Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:26.067{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563561Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:26.067{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:26.051{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:26.051{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97993914A49B77AE8572A7E51E810E84,SHA256=698B44DA844FEFEA4526AB20EFCEF35803A1A630D560E8DDE759199EFA47916Cfalsefalse - insufficient disk space 11241100x80000000000000002529642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:26.051{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:26.051{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECCA9FB0A0410889105F42A91203C55,SHA256=3D1BB52814F56D03B99A5B427EB324459169AEC2FC0FA4D4BF2BC45B09F21657falsefalse - insufficient disk space 23542300x80000000000000001563567Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:27.929{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D85E7192294AAFB016CA3D069D4C485,SHA256=244D7A09141F8F80ED3D5BD0C3474E20F53F9159E65E6ED11C274CA87F5194A2,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:27.856{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002529650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:27.818{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:27.535{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:27.535{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455DEBFEA2ECE71DFA49A5E9ED03EE67,SHA256=0C2748C6D2419D4638D5EE492097953720794B4D13EC6DF8C9786A371B95B148falsefalse - insufficient disk space 10341000x80000000000000001563566Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:27.067{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563565Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:27.067{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563570Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:28.934{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACE834F48F2086CB046DAADFD9FBA80,SHA256=58F1F93E0EAE882E8E8D4088F5CC41E6E732B31547D19491179EE40015B862AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:28.939{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:28.939{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97993914A49B77AE8572A7E51E810E84,SHA256=698B44DA844FEFEA4526AB20EFCEF35803A1A630D560E8DDE759199EFA47916Cfalsefalse - insufficient disk space 11241100x80000000000000002529653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:28.538{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:28.537{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35C85FA36525E926E817463056CD2AC,SHA256=789FEB588C9B2DED70A9172F0BF6785E0A74F0C920CE3424AC7D1764DE0A5E1Bfalsefalse - insufficient disk space 10341000x80000000000000001563569Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:28.068{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563568Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:28.068{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563573Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:29.937{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B3A52E558ECD33307079C6837E9306,SHA256=2CE6856A9F82820CD99F336D77913F3087F1BA08C5BE316444DF4D1ECF656BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:27.324{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50744-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002529658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:27.287{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50743-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002529657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:29.543{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:29.543{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0D11362E1A46919E43DCDE4D05FBAE,SHA256=2A693F4EF59B8EA8B2A5B74F3B0F37572956DA4D643CB524B8FE7D42C110BFE2falsefalse - insufficient disk space 10341000x80000000000000001563572Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:29.069{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563571Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:29.069{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563576Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:30.941{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C0F38D442B73BC65626D272F610913,SHA256=3D4902B39CCF2D6D59B7D28896A9FF3990E9215AE9B66E8CE7CD7921B8CE2614,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:30.562{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:30.562{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883CD10824163B8059B46C5D227C7D01,SHA256=DCD9CC864FF8CD7F37C2B8DE5731179F6B36256D8D5BF77D2F80C0184A1453A4falsefalse - insufficient disk space 10341000x80000000000000001563575Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:30.069{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563574Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:30.069{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563581Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:31.949{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CC2C6D31C92ABA79DDCE1A7E7B0208,SHA256=932169315AA44D24B7D87054161442C5AADCB4A1376066331B0B2F3A7A109397,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:29.529{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:31.565{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:31.565{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C74A16A709C0851F3EF44A3E7E1CF1,SHA256=4FD51DE8D4D563061CAFA5BE730AAC66F87704653D277C9A3DD91A679E375803falsefalse - insufficient disk space 23542300x80000000000000001563580Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:31.192{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5215933CBFACB6259FC6C4EFD062D3F6,SHA256=4D9F9EE7C7D4E1A710882248CBE252DCCD27499C10E18204E2FCBD0B43D56A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563579Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:31.190{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88B5EEFBE208A61C7825B97B341205EA,SHA256=2B650C06E5C962013816BF3F394A9E1D240311C55EDAACB18039956ED8320E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563578Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:31.070{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563577Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:31.070{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:31.063{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:31.063{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FC4CA14D85C6F53C8DDD55CFD7FE984,SHA256=7010FE766258055C7CB887A2BECF82D02D03694CC00D0B6BD30BDF76C0586DDBfalsefalse - insufficient disk space 23542300x80000000000000001563588Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:32.955{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA802957AF4B91B7239B7465B01C5FDB,SHA256=EE18D60CA602DEC20A0ACBC290C14C20A818D3ABE60B2DEA5ECD117E00582992,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:32.614{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:32.614{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3630E87B915BEB7ABA418F0ADDA345B0,SHA256=1259120A7C631B0818323FB30B1C5A343A401BF0BC32EE6AB6F0388B38F8D76Afalsefalse - insufficient disk space 23542300x80000000000000001563587Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:32.308{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5215933CBFACB6259FC6C4EFD062D3F6,SHA256=4D9F9EE7C7D4E1A710882248CBE252DCCD27499C10E18204E2FCBD0B43D56A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563586Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:25.689{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22359-false10.0.1.12-8000- 354300x80000000000000001563585Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:25.688{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22358-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001563584Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:25.688{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22358-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 10341000x80000000000000001563583Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:32.070{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563582Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:32.070{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:33.670{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:33.670{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566E495C8C5786C659B8690191B9E93C,SHA256=E329F0306A9FD6D861EB6EFB4CF3628FD9DB6352EEEBC65C938BC730B35FC1F9falsefalse - insufficient disk space 10341000x80000000000000001563590Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:33.070{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563589Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:33.070{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:34.752{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:34.752{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3E924479399E2A13B11CE4FA1082D8,SHA256=557DD4278D32DD4CBBC3DE0C0DA7E741AB03AA0443F9D2E0CEC4DC0621C28961falsefalse - insufficient disk space 354300x80000000000000001563594Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:27.399{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22360-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563593Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:34.186{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381B9A55B8698D0486D283D069F44E61,SHA256=A02FD78C0298094B3C804E5827C1223D7643CB61E85ACD4BA55E3562BB65F037,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563592Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:34.071{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563591Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:34.071{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:35.875{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:35.875{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0BEADB36D161B007B990D439406189,SHA256=6666E79AB90156EFF2CA421A6C642CD6FEDF65C8265B3BF4BCEE312A3CE5B064falsefalse - insufficient disk space 23542300x80000000000000001563598Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:35.217{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22B167F650C32419401FEA605E712569,SHA256=670951AD7C4C38950FA8BEDC0DDD3164122291D366D4BA2B38DD9FB9F112A237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563597Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:35.190{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A237F4BF277D4118A7AC432BE5D1A38,SHA256=6FCCC26E73CD3B8A5D568AE92ABB5FDF5F3004C7E4DD1412F271E30F70770EB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563596Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:35.071{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563595Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:35.071{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:34.557{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:36.877{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:36.877{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078BB70AD713B64660DA10293F0E38C7,SHA256=4747350B11BA6FA182BCA96AAF7A00733F249CF2689CAE63AC0E5EE5F3DDBD1Efalsefalse - insufficient disk space 23542300x80000000000000001563601Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:36.193{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60003D7F9BCD2F47042D015DD0EFFAC,SHA256=12872375E2EC3AF88F41234F3FA26418A125CF1B43F4D908A98C9B2B02D53F7B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:36.091{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:36.091{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7AE550A5C5D190A9695920CAC71C670,SHA256=D574D88147AB3A932B054EDFF0FB86EE7837E36136CC8878B969F040B98228D6falsefalse - insufficient disk space 11241100x80000000000000002529676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:36.091{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:36.091{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F06F595D7E2A562B8780714EA83B44A,SHA256=6B744B79E80006B13CD6EBFBBE26F68C9E13C46C44897DD84A607E49BE669A01falsefalse - insufficient disk space 10341000x80000000000000001563600Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:36.072{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563599Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:36.072{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:37.927{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:37.927{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1885197E1D6FBAF54047E9B98228DD2,SHA256=875D7CA43EE0F8A547E64688E33F75B04E3FCD6076F54D0C05DF91812D9DD840falsefalse - insufficient disk space 23542300x80000000000000001563605Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:37.198{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10BA0BC63756A86F9F53BA3DBE8B3FC,SHA256=6115DA7002ECA302DABC5A85B3666713C7CFD99ADA2399EC68FDB6E7DBE81253,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:37.880{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000001563604Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:37.090{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39ED10FFB6F8BE887D3C9EB4632180C1,SHA256=272FD1776B0FFB2C9A09B86EEBA98410624F95F66DD18941ABCC7DF75F064FE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563603Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:37.073{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563602Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:37.073{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001563609Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:31.579{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22361-false10.0.1.12-8000- 23542300x80000000000000001563608Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:38.203{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DFAFCAA18E08A62AD0AF1D91456DF6,SHA256=0C3FEEF1304FCC814FF3BF0CEBCFDB17077A14F9C89EF6BFFD0918EC700A4986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563607Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:38.074{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563606Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:38.074{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:37.349{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50747-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002529688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:39.098{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:39.098{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7AE550A5C5D190A9695920CAC71C670,SHA256=D574D88147AB3A932B054EDFF0FB86EE7837E36136CC8878B969F040B98228D6falsefalse - insufficient disk space 11241100x80000000000000002529686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:39.098{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:39.098{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4391BEFE861F05083BD0ECB4FE231B8F,SHA256=4AD6C885078E104C13E4139225961A51B28DD6C622D6BBEF9CC12E26BABEB278falsefalse - insufficient disk space 23542300x80000000000000001563612Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:39.211{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039B8E0AB14757B4ED64A6A71DDF28A9,SHA256=F9EE671655A273AB2835FAD09402D52D0F777E5CFC95EBE5470D6CB3018CD195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563611Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:39.075{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563610Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:39.075{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:40.147{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:40.147{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B2522AAF7A6EEC6865DE58F512ADEB,SHA256=0BDCCC0E529924597C4A91B0C599F6CB0205B274C2AAE85388B742420F572171falsefalse - insufficient disk space 23542300x80000000000000001563615Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:40.215{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644E52033C955A67B9F022EED9233230,SHA256=7BF9293A3396C4A4EEFDEB80C7A46332D734577436DCF7DEAA419D8EDA2EB1B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563614Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:40.076{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563613Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:40.076{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563650Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.391{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563649Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.391{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563648Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.391{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563647Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.391{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563646Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.391{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563645Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.391{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563644Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.391{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563643Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.391{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563642Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563641Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563640Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563639Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563638Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563637Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563636Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563635Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563634Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563633Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.390{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563632Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563631Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563630Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563629Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563628Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563627Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563626Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563625Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563624Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563623Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563622Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563621Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563620Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563619Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.389{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563618Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.219{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018E00B9D67B2721F3BB8BD6D49735E5,SHA256=2E7ABE46586E2652A136FFBF1E7C68C00BBE1894F8540A9B3C5A995F2FC9A232,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:39.615{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50748-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:41.168{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:41.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FCFC914C8D3DBB9D14251EF9808511F,SHA256=7DA5FC34CEDC51DE5EFAB40B394A0CD5F4DF417CF4EE5B73667B4809A6227E5Cfalsefalse - insufficient disk space 11241100x80000000000000002529693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:41.167{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:41.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9C7DBBBCD0270E00F414908D74BB4D,SHA256=34B06279F028F0A35DE16423785660FDB7DD3F963114FA128A50AD0BD4BF4AFFfalsefalse - insufficient disk space 10341000x80000000000000001563617Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.077{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563616Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:41.077{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563655Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.486{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95872FBA738346BB08E7E726E4175EFF,SHA256=F19AF6E9449170073BF2E5C5309AE0B9FD932D3323ADDF3BE57E3DF5571E8C79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:42.172{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:42.171{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD30800E4585618EA63A7F552322143,SHA256=18DF571BC6D4CA2DF6F3501DC1984CFC34893A69898736C6760D00B1B618B1B6falsefalse - insufficient disk space 23542300x80000000000000001563654Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.213{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4327148D15815B8F244FAE48DC540AB1,SHA256=529C8B7726FF6C247BA9C01CF4549AF4846F84EF87459A5CE7954BC25D4C72B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563653Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.212{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ADB689F4DF8D7CAFFC517CA86FFF719,SHA256=B53343F53BAC5F414C07DD6E735C7770984FE63DB8A7CB8B96B89BBD71B75003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563652Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.077{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563651Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.077{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563659Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:43.490{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC0CF6E7E1C09F1C27F2FE525A47E5B,SHA256=1AA3B7452C29A63CBB89927096BE642EBBFEF87B6025C5104E5E5EC5D26E4434,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:43.724{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002529701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:43.724{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000002529700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:43.208{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:43.208{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF789AF3F31BB6468485CD4AC27FCD07,SHA256=44BAB9B6866CAC6967FCA45A72C95E8F2F8C1377F090CFA693306ED267641A28falsefalse - insufficient disk space 354300x80000000000000001563658Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:36.711{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22362-false10.0.1.12-8000- 10341000x80000000000000001563657Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:43.078{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563656Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:43.078{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563662Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:44.492{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840CA5B8B4CA65CDA4D9CE073EA8225A,SHA256=3D82B665590D112DD00887766A17A33A7D662F2DA78E724CA0713B977676CBCC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:44.742{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:44.742{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F90F2BD01B5516866FC5041ECC6CC752,SHA256=DE50DCDF20E3677342B4EF45452211A8126EE5A80F60D0164AF9A605CACA98ABfalsefalse - insufficient disk space 11241100x80000000000000002529704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:44.241{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:44.241{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E8F7A457BBA522987E00A53C16ADFC,SHA256=0F3EE6BF4DD8C63B04D4577D4FBBE1AFDA96D93B39BA95BA6E6A6E7E71A9C047falsefalse - insufficient disk space 10341000x80000000000000001563661Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:44.079{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563660Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:44.079{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563665Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:45.504{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F2BEF087ABF2AFEA7C01CD0A69CEB2,SHA256=C81C09F89E935C54D1AFB5051FF707010868A9E6D14109B3F07AB280F0C314FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:45.244{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:45.244{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6F78D44D3963F51266C7E42C1D532F,SHA256=DEB72C25F06FAF49FA14DAC033F2B5826E97973F32AB52270E2F2EBC8388C49Efalsefalse - insufficient disk space 10341000x80000000000000001563664Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:45.080{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563663Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:45.080{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:43.177{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000002529711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:46.246{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:46.246{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA6EE7E66D0C1734A7A2733DDE02CAB,SHA256=78C056F1BB81A139EC8DD2C759162A90F0BE4154CC94BFB0B0933DC50002FFF4falsefalse - insufficient disk space 23542300x80000000000000001563668Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:46.519{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FD4F1BCAF35D63BABC8FF97D545892,SHA256=4ED3A83E2D4CE6C92D8A058A72C527AFE3B5FDF5769819C6FE6B439C34CFC0A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563667Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:46.080{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563666Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:46.080{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563673Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:47.802{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E7A435F4D42723E01FF457228D863A,SHA256=FA87CA4704B31F7EE209827D66865533A7FEC33E3B488EFF959377F66906A8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563672Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:47.801{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4327148D15815B8F244FAE48DC540AB1,SHA256=529C8B7726FF6C247BA9C01CF4549AF4846F84EF87459A5CE7954BC25D4C72B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563671Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:47.524{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46C2DB3CC047FF7E26E178803AFDFE6,SHA256=F323B8BA649945CAC5103DFD656FB0E928CEDEA7D0DBC32A1A073090F059501D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:47.903{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000002529717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:45.567{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 12241200x80000000000000002529716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:47.834{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:47.283{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:47.283{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EF1DECD0F9A737FB5ED15FE276D7F1,SHA256=64B3372C79153E82ED8A9A6AF8D90A14320872E4443DA212F0008C2F0108FC3Cfalsefalse - insufficient disk space 11241100x80000000000000002529713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:47.217{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:47.217{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D9B283D59CBCCBC178CFF4A620B7D98,SHA256=C4FAD0C294AD44D1B181B24CE41E6AB3EB159562AE480ADF47C05561979561ADfalsefalse - insufficient disk space 10341000x80000000000000001563670Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:47.081{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563669Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:47.081{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001563677Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.296{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22363-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563676Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:48.530{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6B3ACA303973DF1978C45BD70DDD95,SHA256=0722D72B4336EC3455C4EDCA62EDA4F6B085558231DAF6D27FE5DD8D8AB32BB8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:48.937{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:48.937{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87CAEE7A8030ECEC6044C39DF17694E9,SHA256=B946B82F43D2DEB2A6161E0A9ABB2088B0670A4A01BC19C2DF9FA7DE86557312falsefalse - insufficient disk space 11241100x80000000000000002529720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:48.286{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:48.286{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7D69C52604FAA6C95CDFCC252FE5D8,SHA256=2876019000F39AE64035F36B2C21BF847E1168FF701ED94522658EE67EDCA603falsefalse - insufficient disk space 10341000x80000000000000001563675Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:48.082{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563674Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:48.082{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:47.303{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50751-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002529724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:49.507{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:49.507{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5D4CE1943F129B804493C07354AE03,SHA256=26525A22385E13B56A4F2400E563F57C093BC4338D1B8C38725E81AF4B235E49falsefalse - insufficient disk space 23542300x80000000000000001563683Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:49.538{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F823BDDC010BB4EBE43D11AF1BC1B6BA,SHA256=1AC36B0E37D665811F4AD8995EEEC34A7666DB8DE6A78FBEA56AD12E391E5DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563682Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.598{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22364-false10.0.1.12-8000- 354300x80000000000000001563681Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.416{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse169.254.255.255-138netbios-dgmfalse169.254.79.158win-dc-982.attackrange.local138netbios-dgm 354300x80000000000000001563680Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:42.416{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse169.254.79.158win-dc-982.attackrange.local138netbios-dgmfalse169.254.255.255-138netbios-dgm 10341000x80000000000000001563679Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:49.083{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563678Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:49.083{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:47.372{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50752-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002529727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:50.510{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:50.510{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE59415C8887EA0FBFB4C71BA3BBA23,SHA256=8A47D94B816095851709FD0670C60AA6FA2261A01C9C120CADBFA9B0FA2FD485falsefalse - insufficient disk space 10341000x80000000000000001563688Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:50.914{761B69BB-818C-607D-0D00-00000000BA01}9046508C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563687Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:50.543{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35EAA0123FC6FE186526D1BAD9F33E0,SHA256=B2FB0CA18BB08075D612D7FAF20DD18FFA96A0BFE51AC21A262C76041D85E623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563686Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:50.083{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563685Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:50.083{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563684Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:50.082{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E7A435F4D42723E01FF457228D863A,SHA256=FA87CA4704B31F7EE209827D66865533A7FEC33E3B488EFF959377F66906A8FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:51.559{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:51.559{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8912DBB43AAB26BDC138ED4559469433,SHA256=B6633915C66583DD9EBC0E4C43E2B4CBD304AE36FDC7BEE9690BB8E0DCF34BF8falsefalse - insufficient disk space 23542300x80000000000000001563700Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.550{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624EA7A05DFBC89F143C5072FDA98E9A,SHA256=65505E60FB701596CB66FBF51879FC4E706F097B693E3D9E2384F273FAA4B70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563699Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.169{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563698Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.163{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C1CB-6081-2C86-00000000BA01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563697Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.161{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563696Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.161{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563695Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.161{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563694Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.161{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563693Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.161{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C1CB-6081-2C86-00000000BA01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563692Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.161{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C1CB-6081-2C86-00000000BA01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563691Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.159{761B69BB-C1CB-6081-2C86-00000000BA01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001563690Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.084{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563689Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:51.084{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:52.615{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:52.615{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EC136926CA8E93BD8114C6C43CB5C7,SHA256=5B41C51AA33499BB888E9CC9555093A209647312B8FFDA005902D605E780E374falsefalse - insufficient disk space 23542300x80000000000000001563705Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:52.562{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C548BA880B804A7865B364D5EF954796,SHA256=2CCB058D76F9BE71232A4E694F68441B7C2F6448128BB0FF493E8080C472DE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563704Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:52.278{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12FC6BAB9BA28E4C1FE519DFCD7C9154,SHA256=31F4ED9D24A8CF0D067D9C376B18C5BE9E6C3377B95DA273EAFB47E4ECF18EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563703Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:52.165{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7264A3BB7EF88C8386CB0F94F1C0D37,SHA256=41D4D57F358D214AB02D123B6CEB74C7FDC04FEB3C1EEF42529846266922A57F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563702Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:52.084{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563701Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:52.084{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:53.749{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:53.749{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5690380E720CC424E631E291FC5652D3,SHA256=FF8537FE8FA541AE3E794F2190DCB818BF66D47400B112F247356DCB5B69D335falsefalse - insufficient disk space 354300x80000000000000001563710Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:46.666{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22365-false10.0.1.12-8089- 23542300x80000000000000001563709Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:53.566{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C63F7D612D7C47D64C6EF06701B6CAF,SHA256=60991D13CCB5DFBBEDA44D9B60E659A14A29DE76AAC14F1480CB5A4D004D5EEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:53.147{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:53.147{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1627A9120FA1DD36FE04E2D487B9F0F8,SHA256=648F94A4143A3A20ED218C53E52FEF9EA6CFD1BCFE5353F34E6358BEC66463D4falsefalse - insufficient disk space 23542300x80000000000000001563708Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:53.237{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC71C1045DA81B46FDC5035FD8756C0C,SHA256=4CE0DB3CC62150033609C8944655CE8B09FE476FB437DF36DC25CF5117E42EB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563707Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:53.085{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563706Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:53.085{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:54.983{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:54.983{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0B562ECE968F124F84BEC8EF42A2CF,SHA256=C5957F1454A41C5FC055CDF8CFF23ACE4DD2936BAB58D0D38B323EAC6CB0B63Efalsefalse - insufficient disk space 23542300x80000000000000001563714Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:54.574{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1E4F175473B26B9393EB9A6680EF51,SHA256=D9B4F27DCA778C8EC0D61626B45520451C9337116391141AA89C4DB05EF7BBB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:51.582{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001563713Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:47.735{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22366-false10.0.1.12-8000- 10341000x80000000000000001563712Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:54.086{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563711Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:54.086{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563734Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.747{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C1CF-6081-2E86-00000000BA01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563733Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.746{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563732Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.746{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563731Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.745{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563730Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.745{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563729Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.745{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C1CF-6081-2E86-00000000BA01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563728Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.745{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C1CF-6081-2E86-00000000BA01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563727Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.744{761B69BB-C1CF-6081-2E86-00000000BA01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563726Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.580{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFAD0ACD9FEE63DDC552B61E37C387D,SHA256=85174C494996907877A64A8EF45E3C143CF529C8988E1821917799F922474C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563725Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.250{761B69BB-C1CF-6081-2D86-00000000BA01}56204784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563724Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.107{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C1CF-6081-2D86-00000000BA01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563723Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.105{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563722Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.105{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563721Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.105{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563720Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.105{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563719Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.105{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C1CF-6081-2D86-00000000BA01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563718Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.104{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C1CF-6081-2D86-00000000BA01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563717Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.104{761B69BB-C1CF-6081-2D86-00000000BA01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001563716Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.087{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563715Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:55.087{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563747Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.588{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7C9E832DD7D5F7694B0B8036454541,SHA256=357037C046E8E320E1004CA25C85503A811DE7D90C8843D207A474F18552697D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:56.224{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:56.224{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0645C5CC7C7AEFC116F961F5E47488,SHA256=1AF7BC4AFFDAE8E9505EA39EED8225C82E1F06FFD481400EED3D2C24031F7E55falsefalse - insufficient disk space 10341000x80000000000000001563746Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.396{761B69BB-C1D0-6081-2F86-00000000BA01}56446008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563745Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.263{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C1D0-6081-2F86-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563744Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.261{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563743Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.261{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563742Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.261{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563741Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.261{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563740Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.261{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C1D0-6081-2F86-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563739Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.260{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C1D0-6081-2F86-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563738Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.260{761B69BB-C1D0-6081-2F86-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563737Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.123{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED4863A24189868C833B18D0CD5D779C,SHA256=57A76F5CD4D7B007E3A4A4A6E8A3E37B0157B01E56CEF25A3E2408D70EB152E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563736Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.088{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563735Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:56.088{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563751Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:57.593{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C0D252C82CB7FA19561A527D703178,SHA256=EAFF747465F877B78F9FEA2137A29505AD1EE174F382443D2C38717509E6D984,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:34:57.928{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:57.242{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:57.242{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FC86C9B196FB2B5F8875E09FA8BA0A,SHA256=325D83E753823D9E65C50F6F94C04A94D6B2CFD083AB30B1E2C4A8E7EEEE6914falsefalse - insufficient disk space 23542300x80000000000000001563750Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:57.355{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97381BAC3AFBF00AE50CF47BE537A006,SHA256=F06341F5D108981B60648F3FB16339DC2E5408F9E466BE0FDD82EA70A0FE6BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563749Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:57.089{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563748Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:57.089{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563754Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:58.596{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1B675429DE2159BFEECEB8803A517F,SHA256=BC9FC5A6143D2887D8796ED32AADD4DB8760653D9D944C55D004E98556E1B134,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:58.930{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:58.930{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17F0628816646B25825AF9B30E057D0,SHA256=0B3BFAA233F5F3585CC9168B051F1EDF055A85961150048FFA739DC4DB00DE14falsefalse - insufficient disk space 11241100x80000000000000002529748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:58.930{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:58.930{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8076072F530B48B27793E46D48D6302,SHA256=A36409A3606AF01D17F4EF1346FD751F52F712803DA39FE7ECFCD363C9B75680falsefalse - insufficient disk space 11241100x80000000000000002529746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:58.244{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:58.244{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BB978959182136E23453CFB14FCC57,SHA256=0C7314CB261A631AB1B5DBE2BA11A3408C2B625FCB8980008152A9023D3A614Dfalsefalse - insufficient disk space 10341000x80000000000000001563753Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:58.090{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563752Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:58.090{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563766Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.605{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A1D5B87D2F40993E5495032E4BE72E,SHA256=76215457BA26EF70D8727720E89BAAAE8181955F0567B5558A7DE023C3F38DD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:59.293{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:59.293{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62127B90AB21175EBA58A9AC8AC1B006,SHA256=53D39521E4AD087F1F95CEF69E5D1F5172A7214C5793E5C576723BAAD797B27Ffalsefalse - insufficient disk space 10341000x80000000000000001563765Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.565{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C1D3-6081-3086-00000000BA01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563764Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.563{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563763Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.563{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563762Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.563{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563761Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.563{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563760Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.562{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C1D3-6081-3086-00000000BA01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563759Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.562{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C1D3-6081-3086-00000000BA01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563758Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.561{761B69BB-C1D3-6081-3086-00000000BA01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563757Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.122{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F055574CF0DF99EA3A85548AD589FB42,SHA256=BEAB375FCD3066B407E09C86CA7410EF944289352650FCCF0A79E11BCF771C2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563756Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.090{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563755Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.090{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563788Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.908{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C1D4-6081-3286-00000000BA01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563787Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.906{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563786Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.906{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563785Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.906{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563784Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.905{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563783Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.905{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C1D4-6081-3286-00000000BA01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563782Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.905{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C1D4-6081-3286-00000000BA01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563781Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.905{761B69BB-C1D4-6081-3286-00000000BA01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563780Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.796{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0212E87E51F8066DCB2A3908EF89AF04,SHA256=E0C45220471D58BC0E03B8F1ADE5F3AA3EBDF4E4DFA7805BC7186002FF48E863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563779Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.625{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5C583A2054F1E12079E3B9002C0911,SHA256=803BCA4919E631E151B73DD09FD8D42754C4B4C3AE9E2BF6BD24E87B9EFBF194,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:00.314{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:00.314{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FD2759B6BF6CB56E330187990D83D6,SHA256=2571C33404C56729EFB2BA5761379F3D00DF2601E67882C9656EC3D430DD7FB0falsefalse - insufficient disk space 10341000x80000000000000001563778Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.378{761B69BB-C1D4-6081-3186-00000000BA01}41361380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001563777Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:53.622{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22367-false10.0.1.12-8000- 10341000x80000000000000001563776Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.229{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C1D4-6081-3186-00000000BA01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563775Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.227{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563774Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.227{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563773Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.227{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563772Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.226{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563771Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.226{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C1D4-6081-3186-00000000BA01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563770Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.226{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C1D4-6081-3186-00000000BA01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563769Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.226{761B69BB-C1D4-6081-3186-00000000BA01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001563768Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.091{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563767Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:00.091{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:57.612{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002529753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:34:57.396{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50754-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563793Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:01.910{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75056B30B6AA8DFF007B17F5EA0B1AA7,SHA256=C58C1BDE8CA8B1AA1693E81CED5CE2ED043705DDEA5FD110C8D0740BE0063924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563792Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:01.631{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AC03EDE536E460E7188FB488753A0B,SHA256=FCDAB813BF39D464A144D5E58D830C6B675E89082BC6ABA23057BCA2D1FFA5B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:01.452{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:01.452{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFCEEFDFFF3AE28CB4C870D40827E09,SHA256=CA077F68A45A60B1C54B768F1CD4A6931F488505980FD769A066BC854A3F218Afalsefalse - insufficient disk space 10341000x80000000000000001563791Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:01.092{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563790Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:01.092{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563789Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:01.050{761B69BB-C1D4-6081-3286-00000000BA01}33047004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563796Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:02.634{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE72A41657E5AC3F83F04CF3E6239E3A,SHA256=F0DE03809642A0CFDF82E54057B9072EC0F8884AAD285C1CAA318A2B74C39389,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:02.486{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:02.486{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0752F77523B8720A68F52364E1FCC3C3,SHA256=2F053B624CC5856B428CDF4FB2D1F807CC730C797F6A8638CEE71D0507D1165Bfalsefalse - insufficient disk space 10341000x80000000000000001563795Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:02.093{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563794Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:02.093{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563799Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:03.637{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F219E1BCF622755D23640E8AD5006F9B,SHA256=42D73511EA2DC69DF7D8DE65C8E63E470C23AAA96A7245824F8FBF632C591EAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:03.524{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:03.524{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73FEC3B74BCB0F5243D2ACB7E2180B6,SHA256=48B464F895AE596986A70AC6D6D2F1905977F7CD8346379DD4E0B2DC9E487C5Dfalsefalse - insufficient disk space 10341000x80000000000000001563798Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:03.094{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563797Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:03.094{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563803Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:04.911{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F81A5E5B13F48D6D7AB5EEF6FCA8051,SHA256=4E3E80C0EC18F427148DD5A0581DE0280A09921AAC33C37A54927A3C8DBB4E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563802Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:04.642{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C4F92364C1BBA39FD3790034982459,SHA256=7D88FCD7601D2DB92F9CE5AA00ED8A519AB2613D8EFCD62EA69C500A29798B18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:04.544{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:04.544{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AAC0C2A1596D772B5F519461CE0CC3,SHA256=B4A5E6834BF0F21C3F66FD298072DD113458E137AEBE779BDB0753731C907E61falsefalse - insufficient disk space 10341000x80000000000000001563801Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:04.095{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563800Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:04.095{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:04.159{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:04.159{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72ABEF24349EDB3FE4B76CA5BDA6E673,SHA256=D988799425A9D0F4C1E4467EE821C4904D4E6607C0EE80B21943A421FD24901Cfalsefalse - insufficient disk space 11241100x80000000000000002529764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:04.159{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:04.159{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17F0628816646B25825AF9B30E057D0,SHA256=0B3BFAA233F5F3585CC9168B051F1EDF055A85961150048FFA739DC4DB00DE14falsefalse - insufficient disk space 23542300x80000000000000001563807Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:05.650{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D1F9F0AF81526AE85DA8DE5A5F90E3,SHA256=7EABB1C881FD33A70807E3896B39393A92823B0B3B921F9BD2B385A4E2E612DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:05.678{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:05.678{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D9089ECEB5AA6163B81AC37F588EAC,SHA256=C07768EC4E52911424421762DED9DC95F3EF80FDA3B809E2EA3707E1B15C1BBAfalsefalse - insufficient disk space 354300x80000000000000001563806Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.379{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22368-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563805Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:05.096{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563804Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:05.096{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:02.625{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001563811Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:06.653{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9681ED6B14B86F0E0547EFE1632375D4,SHA256=5C425119A0AC514E395E84EC7525CEDEBB1074D5CEF4FB17D6935277C0DD90A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:06.696{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:06.696{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB929771F5C0303C432959457FE0EE11,SHA256=F3F19846AECDECC9CA67F52366777446CB52CD7A9A3EABB80AEF0B39413A7EE8falsefalse - insufficient disk space 354300x80000000000000001563810Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:34:59.513{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22369-false10.0.1.12-8000- 10341000x80000000000000001563809Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:06.097{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563808Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:06.097{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563814Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:07.659{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B42AEB37866EEC203571296CAA295D,SHA256=BF99D1D4AADFA3A0EFF9E90D0666C33467AD39F02FA947FC8914944AA4836C63,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:07.931{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002529776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:07.852{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:07.698{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:07.698{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10278D47CB377E19CED10AB77013298D,SHA256=A3676D9E0724203E600FB453D5EFA309DAC2170E63B4C97754031769FB73A79Cfalsefalse - insufficient disk space 10341000x80000000000000001563813Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:07.098{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563812Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:07.098{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:08.886{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:08.886{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72ABEF24349EDB3FE4B76CA5BDA6E673,SHA256=D988799425A9D0F4C1E4467EE821C4904D4E6607C0EE80B21943A421FD24901Cfalsefalse - insufficient disk space 11241100x80000000000000002529779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:08.736{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:08.736{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C0146480594DB71B80BB03882BB5AA,SHA256=67D92F48C76FE1296DE5AD7578F1CF04B102362FFB2AE05936FEF5C2EA2B467Efalsefalse - insufficient disk space 23542300x80000000000000001563817Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:08.661{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242FFFF5AC4ADBCF9E8A8D1FD35E379A,SHA256=858F980F508037F9673470ED2358F764E5CF421D94D294BB6D5481044C77ED56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563816Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:08.098{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563815Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:08.098{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:09.772{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:09.772{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFC24F357C293B6EA64B99178307BDC,SHA256=AB4148D68EF353F92EA2EAEF5ECC6731BB5A3655699EFDE6FD3175DAF4A2E7BAfalsefalse - insufficient disk space 23542300x80000000000000001563820Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:09.665{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B2B36949439DF6311739AEAE733EB8,SHA256=DC208B73FD960E8FA2291F6BE5652B3F77E4FC31B47EE86990CDC531DA250DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563819Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:09.099{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563818Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:09.099{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:10.775{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:10.775{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37FEB3E2294704D0F4FD282EF60CCDC,SHA256=FBBC275EC618F8D2B2B0D7A4968BBB68D14BD19D3CF6713F9CBD239DD142DCD3falsefalse - insufficient disk space 23542300x80000000000000001563825Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:10.676{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030385C10A8B0B5FC34C1A8E29E4B2DE,SHA256=7C6E82FB2674E23A7A3688AA2D0BB2844480F331B58EEB4AF4D78DD6B5FA3847,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:07.652{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50759-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002529785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:07.400{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50758-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002529784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:07.321{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50757-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563824Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:10.142{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DACB920D7CB086509D4D15E1DCB6492,SHA256=8E69B50EFBBD683B764F7900931FB14738F711A386740F4E0B451E5642E1201B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563823Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:10.141{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B93EA36D2BBE774B49BE18974C8512D,SHA256=E0324D2A129CE40824290F5634A8122754283D5E880FD20792F1CAA6605C4EA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563822Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:10.100{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563821Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:10.100{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:11.777{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:11.777{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D025840793CB82F49CAA3D8EAB2EF93,SHA256=AEDE6E66F5981B0F4B9667FC441D54AF28E7F128123F70944D39B43ED0D5F679falsefalse - insufficient disk space 23542300x80000000000000001563829Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:11.680{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1EEAD5F67F194AC0CB002D1A10A895,SHA256=2BD0A220D2E8A0CF92E998570713FD0D529D3214AB734547ABB612FBE0872349,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563828Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:04.639{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22370-false10.0.1.12-8000- 10341000x80000000000000001563827Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:11.101{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563826Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:11.101{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.980{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.980{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B8A21966F33F9F54C06203933D3025,SHA256=7F6D8690D3B6B8AF2A104D4150F7DC96053C036D53182A37EDEDA75E1D826958falsefalse - insufficient disk space 23542300x80000000000000001563832Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:12.686{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E543A8F066149C326558849001874,SHA256=52D245D4925587C592784311D637001A38A1C64BF8561C159E1BB46132080983,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002529846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.510{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002529845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.510{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002529844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.510{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.510{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002529842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.394{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002529838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002529836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002529821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002529817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002529805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002529804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002529799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.379{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.364{21761711-C1E0-6081-C187-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:12.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:12.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:12.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:12.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:12.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:12.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001563831Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:12.102{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563830Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:12.102{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563837Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:13.691{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D4A4D09A1181874B76E46EF476725A,SHA256=18C9CFF5C25A9AA8918749E2E11EA9CA34FA620EB714F7FCA8162C3A5EB00ECE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:13.365{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:13.365{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891275A802383F02FA4A84C8D7468189,SHA256=173CE1BEE902589174FFD13DB75408BDB4107732FFA923142B1F8081948D3196falsefalse - insufficient disk space 354300x80000000000000001563836Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:07.560{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22371-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563835Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:13.103{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563834Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:13.103{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563833Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:13.075{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DACB920D7CB086509D4D15E1DCB6492,SHA256=8E69B50EFBBD683B764F7900931FB14738F711A386740F4E0B451E5642E1201B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563840Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:14.703{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225CE5C1602F6147D68FACC005BA0B27,SHA256=1A40A3745E6C8807A39A212DE312FA7AFCB32E60C9CEBB6510AB569AD4710D73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:12.712{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50760-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:13.998{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:13.998{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475593F9653B59913D593B77776790CA,SHA256=50117D25D956018041CA725C2CA2C8C9B61FBE1FB466858156129B7D3337B6CEfalsefalse - insufficient disk space 10341000x80000000000000001563839Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:14.104{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563838Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:14.104{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563843Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:15.708{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B78F3317099C248E6EEC0E0F61C349E,SHA256=2893B9A6F463C285445F22952A29714FA0C6BC7303711800E58869B0F9B96584,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:15.001{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:15.001{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1324A752DE976A23CB1F3B95A88440,SHA256=BAAFF580B0B90E04E7E7DDA3724969A2BBDEA9ED362D0FCB8CAF68F166DA9FF6falsefalse - insufficient disk space 10341000x80000000000000001563842Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:15.105{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563841Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:15.105{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563851Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:16.713{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A340575624107F331F4BC0B5764B90B7,SHA256=C3C4E673F5BC50EBD6763BBFD0CA2D9FA1F4ABE65CDE43360E9F2F62B4A5B9B4,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002529913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.874{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.874{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002529911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.874{21761711-C1E4-6081-C287-00000000BB01}64127192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.858{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.858{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002529908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.752{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002529902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002529887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002529884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002529871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002529866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.736{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.721{21761711-C1E4-6081-C287-00000000BB01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:16.720{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:16.720{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:16.720{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:16.720{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:16.720{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:16.720{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002529857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.052{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:16.051{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA10D0785E10AFBEA978E7EC03A7C1EF,SHA256=96E7FE277AEB3FF2E9013B8B0E435DE0AF9FE40180269E603D29B4DA5DD32807falsefalse - insufficient disk space 354300x80000000000000001563850Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:10.522{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22372-false10.0.1.12-8000- 10341000x80000000000000001563849Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:16.410{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001563848Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:16.410{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563847Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:16.410{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF109b5a21.TMPMD5=FD9CA3B752C969255F9013E45601E2FF,SHA256=6B542E6C346BCD00B0E9E5182F5689C44912608F9BE79EE9E779CD8B01144944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563846Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:16.105{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563845Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:16.105{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563844Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:16.024{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6ED069CBE0D770DF14CAF8925A95CC7,SHA256=3B4C6348CF7FA24ABF4A5687A13E9919B31B8D8AEBDD91335B00EBD94AF98998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563856Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:17.744{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94A1506BDF6F84FFFC812A86AC25811,SHA256=3FC5B719C223F41ED702756425D4ED845BB7391593AA30B644A43ED248F9F802,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:17.939{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.776{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.776{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2E12E329AF285B5AFA2D0AD6B56639F,SHA256=572FEFCF2BB202A6BB04C684EE5013DBBF69908252D3F2DAC1562E11F3AAA628falsefalse - insufficient disk space 534500x80000000000000002529975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.560{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002529974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.560{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002529973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.560{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002529972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.560{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002529971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.491{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.491{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346EA25B849DEE083AE766D77CB20DDB,SHA256=649E3CC1D85451C78F228AE27FEBBB4E527AA735C7CEDEC273BDC51A796B174Afalsefalse - insufficient disk space 734700x80000000000000002529969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.438{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002529968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.438{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002529967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.438{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002529966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:17.438{21761711-C1E5-6081-C387-00000000BB01}6348\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002529965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002529964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002529963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002529962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002529961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002529960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002529959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002529958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002529957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002529956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002529955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002529954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002529953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002529952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002529951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002529950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002529949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002529948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002529947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002529946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002529945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002529944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002529943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002529941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002529937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002529936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002529933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002529932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002529931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002529930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002529929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002529927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002529922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.422{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.407{21761711-C1E5-6081-C387-00000000BB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:17.406{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:17.406{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:17.406{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:17.406{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:17.406{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:17.406{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001563855Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:17.383{761B69BB-818C-607D-0D00-00000000BA01}9046508C:\Windows\system32\svchost.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563854Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:17.383{761B69BB-818C-607D-0D00-00000000BA01}9046508C:\Windows\system32\svchost.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563853Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:17.106{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563852Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:17.106{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563859Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:18.747{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7029C0105164D972DD899781855B0353,SHA256=0436D99B157E5303276F9FF8E78E57308F53AA50A2839B09FECE0B639A124573,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002530097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.941{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002530096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.941{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002530095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.941{21761711-C1E6-6081-C587-00000000BB01}54047212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.941{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.941{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002530092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.941{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.941{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=389D06731E0C4D6CDFE5F9CE39178882,SHA256=6B3E8AD7ABD11D48196ACB2D2AED070F070E9E28A58BE8FC7AF61F564814E4CCfalsefalse - insufficient disk space 734700x80000000000000002530090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.825{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.825{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002530086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002530084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002530053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002530052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 11241100x80000000000000002530050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000002530049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 23542300x80000000000000002530048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A13609274B0397D50AD27AD30C667A6,SHA256=D748BE45270A1447B9F2EFC1C30243FDF9820274AABB60A6342837337D9482B1falsefalse - insufficient disk space 734700x80000000000000002530047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002530045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.810{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.795{21761711-C1E6-6081-C587-00000000BB01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.794{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:18.794{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.794{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:18.794{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.794{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:18.794{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001563858Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:18.106{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563857Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:18.106{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002530036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.262{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.262{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002530034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.262{21761711-C1E6-6081-C487-00000000BB01}14723900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.262{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.261{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002530031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.193{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.193{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D3A4BAC89709147D878956CCE742BE,SHA256=F2E14A226AF76388BE97CA51DC37FC6199FD9B0301DBF8927E382C15EAEC483Ffalsefalse - insufficient disk space 734700x80000000000000002530029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.139{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002529999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002529998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002529997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002529996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002529995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002529994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002529993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002529992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002529991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002529990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002529989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002529988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002529987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002529986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.124{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002529985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:18.109{21761711-C1E6-6081-C487-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002529984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.108{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:18.108{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.108{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:18.108{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002529980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:18.108{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002529979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:18.108{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001563862Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:19.752{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D3C1D897D69E952B5096E2FA7E2FA9,SHA256=3A4A96471530FE7FE489B3888472038990B944E80B446640DBFDB10BC310584F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.944{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.944{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB9474E77018D52AA2F67064ADD4DBF,SHA256=BE8A17060201924894439BF4B00D611561162172B2733C0F5EAB564681CEE7D0falsefalse - insufficient disk space 11241100x80000000000000002530158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.897{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.897{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C822BEDD2C0687730C3606043FFCB9,SHA256=91422F6FF4B3C3BA410FD6528618C0FB1128B7604E93B9A948A3E483A8BDF8A1falsefalse - insufficient disk space 10341000x80000000000000001563861Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:19.106{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563860Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:19.106{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002530156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.408{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50761-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 534500x80000000000000002530155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.643{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002530154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.643{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002530153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.643{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.643{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002530151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.561{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.560{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C421CD6177C7F84D709E563A4BE89C85,SHA256=89FD62B05183F2610F6119B819103C160A9748160296E7048A71B2B10F472B17falsefalse - insufficient disk space 734700x80000000000000002530149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.512{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.512{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.512{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002530145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002530143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002530131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002530115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002530111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002530106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.496{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:19.481{21761711-C1E7-6081-C687-00000000BB01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:19.480{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:19.480{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:19.480{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:19.480{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:19.480{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:19.480{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001563865Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:20.760{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346A42332B3C358D4158ADBFEC616259,SHA256=66EF5389520E2BAD656ADA2D26768DFD4939CD8E7B656894B889E707DD56E477,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563864Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:20.107{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563863Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:20.107{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002530217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:17.724{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50762-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000002530216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.329{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002530215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.329{21761711-C1E8-6081-C787-00000000BB01}36403292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.329{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.329{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002530212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.213{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.213{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.213{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:20.213{21761711-C1E8-6081-C787-00000000BB01}3640\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002530208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.213{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002530206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002530201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002530186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002530174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002530169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.198{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:20.183{21761711-C1E8-6081-C787-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:20.182{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:20.182{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:20.182{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:20.182{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:20.182{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:35:20.182{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001563870Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:21.770{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B064DF7ABCE69516E0456D19C3BBF555,SHA256=DA6D64EDF86F42B29CCFA0B010B35E320320D8FEEDFB1E38E21BB04ECA6A925D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:21.265{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:21.265{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=956BB43CEA569581CC25826E5964FCE3,SHA256=A884FB7413D830553165A622C0AA27CDABF3E806193831CB815264142E472EDFfalsefalse - insufficient disk space 11241100x80000000000000002530219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:21.064{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:21.064{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B7765B42354202246A77C6D6BBC720,SHA256=2841856CD754A87FD546C596CFA08A5B7D8ACFAAB52B9D95249C018FA8EACA32falsefalse - insufficient disk space 23542300x80000000000000001563869Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:21.176{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=302C3BC926F45DD591C9C3F3DA395D1A,SHA256=40FD4D349A25AEE33E472F77D454B163C8787AD6A582BC1992C4B13513D58A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563868Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:21.175{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47EE8DA90175DBB3BFEEEB85A00633A0,SHA256=C2D5582C6C65A3D824D740A869AF97289A5A4587A8228271C5EADFDE75CABDA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563867Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:21.108{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563866Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:21.108{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563874Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:22.774{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A901907DEFB45E1A2997B7E9831C1D23,SHA256=BB8BDE56C1BB601A01B81EC13A1773BBB2895CCC3BDAA532D56AFDA78A623490,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563873Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:15.668{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22373-false10.0.1.12-8000- 10341000x80000000000000001563872Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:22.109{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563871Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:22.109{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:22.067{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:22.067{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EB9E5CCD59536FE91E29288B7EE989,SHA256=1A04A5C26D1ACB2F29EF347243E590079B5D5386583B6FDE1226CF6D2FF7B6BEfalsefalse - insufficient disk space 23542300x80000000000000001563877Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:23.778{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BEFB62B33E6FC6D553AF7FCCBB79C0,SHA256=5BFD87B1CFA09CE9C0F23ECCB870D229EA7A52F2E931643F1BE068492E754A34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563876Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:23.109{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563875Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:23.109{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:23.089{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:23.089{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1CADD2EF2790773DB38A4289B4CA3BE,SHA256=A58A5D401B16227A4B412AF6AF06C3CEECBC7E7B83DA02DD6EE649207AD358E5falsefalse - insufficient disk space 23542300x80000000000000001563880Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:24.786{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C0130FF70B5350F56EC888B63B8125,SHA256=0528BE62B65E74FA2858B23DD9146E3818D8BE0BE83C02AE17D8F0ECE345C7A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:24.724{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000002530228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:24.724{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1A4705257EF0EE85147D69029843351F,SHA256=2BC5182E69B2E1066DA70AE977785DCABE9A602FCEADD68781B90DB4C75D0F3Ffalsefalse - insufficient disk space 11241100x80000000000000002530227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:24.107{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:24.107{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F070C2233B9BBEC854470E64D0900B,SHA256=95DB3F63C9D3E1C66A118DC8319CA82F0D99BC585D5D62664E0BBC724D3FBCA7falsefalse - insufficient disk space 10341000x80000000000000001563879Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:24.110{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563878Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:24.110{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563884Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:25.789{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DEC143AB83A850C7947C5D86582526,SHA256=EB15997425FA5A26FF7AE6F930FBF760353CD7028FD6116A865A7BAFA86E5C55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:23.538{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50763-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002530233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:25.156{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:25.156{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CC8CA083C45A80BBBF081283358DC7,SHA256=DA8ECD472757053EB4F10A5B4835939EB9A82756619A0E5B6192B49F60A7EA83falsefalse - insufficient disk space 23542300x80000000000000001563883Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:25.517{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=302C3BC926F45DD591C9C3F3DA395D1A,SHA256=40FD4D349A25AEE33E472F77D454B163C8787AD6A582BC1992C4B13513D58A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563882Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:25.110{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563881Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:25.110{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:25.074{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:25.074{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EA9B408341E627DB2C0BD9FDF247498,SHA256=5D21C17011779EA7F5118F8873FFA302B3D0FC451A1D166C4EEE67E700DABCB8falsefalse - insufficient disk space 23542300x80000000000000001563887Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:26.797{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922A9B17DD99706F61BF3C262AB0B6FA,SHA256=8265701DF7AA3DE3A3EB9B9B50C56A3B89A6C923FBD242365F6A94CE5B32A281,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:26.159{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:26.159{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D875F509053FD53F7FF08F9E043DCC,SHA256=F39748B3ED94575247DF72F26143E9EA6D03CAC6AC5B66EB5551DDFB80E69FE2falsefalse - insufficient disk space 10341000x80000000000000001563886Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:26.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563885Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:26.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563891Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:27.799{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6FD739CA3E6E614452B60690BA66FC,SHA256=37A9EA0383E105BBF0D4DA3A01699949F37E2318C6617EDAD09065B688A1B500,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002530240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:27.948{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002530239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:27.863{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002530238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:27.161{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:27.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA20E3F89951FA9F68303FFD1D9F956,SHA256=CA070D028C9A71FDECF716F390ED58E43A1618C12CFAD78E5C3B9CED5E246779falsefalse - insufficient disk space 10341000x80000000000000001563890Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:27.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563889Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:27.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563888Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:27.063{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=132774256625921E9AC45FB9598CA3B4,SHA256=490B297D96DFDA5778707792FFEBE61A974981AEF24C6369B93BE4F7CEC3EAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563895Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:28.806{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E353E87C2C20DEB06D24D948A6B87A7,SHA256=9127D96646E7558BD026BF852E84248F69378FEC2F475CEFD08EB1F7E0550131,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:28.164{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:28.164{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F12AF4B88637583EAFBF7C191F3F6D7,SHA256=815AF99A7A71CA0F58A9FFF73948322D084A4014983E634F67310EA69003BB0Dfalsefalse - insufficient disk space 354300x80000000000000001563894Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:21.550{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22374-false10.0.1.12-8000- 10341000x80000000000000001563893Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:28.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563892Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:28.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563898Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:29.809{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26756F6164743DBD8DF65EE0775A16B4,SHA256=0F3A3FBBD761909788CDC6A5C96711BE0C91862CC96ED9EFBC9F54BA45475B5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:27.416{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50765-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002530247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:27.332{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50764-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002530246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:29.251{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:29.251{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7775AE74E0370A371766BE15B12A362,SHA256=6693FE7C45D7319C169380352B319A4D1ACDA329A4EA64083E0F8ADBACC55578falsefalse - insufficient disk space 10341000x80000000000000001563897Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:29.112{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563896Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:29.112{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:29.066{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:29.066{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA12B19A972FED5B80C343B530F75360,SHA256=02B52F215FB942DED121C91C7D376878D337FBDF33D3DA6C133F3600F278E4CCfalsefalse - insufficient disk space 23542300x80000000000000001563901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:30.813{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40090CBB908FBE8C3B69719A2102EC94,SHA256=CA981592A5159B5E47DDF846E9450DE50BB1F7415E86F0EFE0044B41EE707238,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:30.253{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:30.253{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12C1B75AC0D23EE24D75327C6FBD3D9,SHA256=9B92FD4973B92420B97D1BB5053D4EFE94C9C99933B22ABAFDF39C559BC94944falsefalse - insufficient disk space 10341000x80000000000000001563900Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:30.113{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563899Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:30.113{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:31.817{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668688571A420E06B3D0443CEE60A7BA,SHA256=C3F065D3D502C0C94EF7D969D16F1294AF3680E0CBF223C98152B046A042C85A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:29.575{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50766-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002530254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:31.289{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:31.289{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A5E94DD43561D4BD0EEBE612359CAE,SHA256=FAEB23D8E89E5862B7C9F9306ABF34090D69F185AFCAF5F00D98DC164513FAFEfalsefalse - insufficient disk space 354300x80000000000000001563906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:25.689{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22375-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001563905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:25.689{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22375-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001563904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:31.199{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44FF7AA62C28FB6436B6B2843530F1C0,SHA256=04685BFD45AF94FE45A71D61D340D922F72A505CEEC81628962BC56122E68384,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:31.114{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:31.114{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:31.171{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:31.171{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA7CD206317652EF81B58F5C738B8837,SHA256=67919CED106EC6DD8AD177014A78C0342FA4828645A8D6DDA5A31133B6369384falsefalse - insufficient disk space 23542300x80000000000000001563911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:32.819{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDFA6DA9B5A2AD9BFFF704D21A616DD,SHA256=7E94657F65F300F65112A0A6CC2A5D49C6AC4EF7CDCC0789D4DF6D9FCC4B5D33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:32.474{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:32.474{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA95FF92342FB55F78FF8746213FB47,SHA256=DC27FAFA76765729516B27D93E1C81FBE1E251189E7AC2029D9948147405087Dfalsefalse - insufficient disk space 354300x80000000000000001563910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:26.687{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22376-false10.0.1.12-8000- 10341000x80000000000000001563909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:32.115{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:32.115{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:33.824{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72623603B1E241AA3E6567719CB821B6,SHA256=82EE0A8FD5905E4B7FB305300C45FCFF307E3ADD6EFA803E0F192A87ED3DC193,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:33.494{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:33.494{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532F0ED659E2C7BA2A63C7A454C39122,SHA256=581698A3DB9FB830BBE29530415AEDA9E33A9D4764F268DADDC6801DE16C7E72falsefalse - insufficient disk space 10341000x80000000000000001563913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:33.115{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:33.115{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:34.617{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:34.617{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89323BAB10766F627DDD1D1EEA97433,SHA256=CF60F8C6CA0440BEC5B86CE273BB17A533A9BCCC57477DCEEC28E0B10207C81Efalsefalse - insufficient disk space 23542300x80000000000000001563918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:34.832{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC0D7EEE78D9EC1BC96ADEB20972EB5,SHA256=9B737D9EC554F905D4E3F02C2AD5102E4E4654818C8CC0885630DA27FE6A15C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:34.606{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BC0C31F6591D623F14D1A9253077C68,SHA256=20F857DE5FF77FADB58BBB3DC64910A3910E8701E0759E25108B7AF1BFD4180E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:34.116{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:34.116{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:35.839{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9971A4BDBBCC21FD5E15E49A86A85DF,SHA256=27D1FE961399D5475461AC44CC7B16579DB534F6D75D3C8ED6ECB79E27503181,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:35.720{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-04-22 18:35:35.720 11241100x80000000000000002530264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:35.720{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-04-22 18:35:35.720 11241100x80000000000000002530263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:35.620{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:35.620{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A69A63A5E0532DAAC80A1024976D7B,SHA256=7AF93BCE5AAAA642C883424225E306FAAC37E47953B151579E2BEB2210900F2Ffalsefalse - insufficient disk space 10341000x80000000000000001563920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:35.117{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:35.117{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:36.685{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:36.685{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B462C659A83C409915F324C29697638A,SHA256=BC64277A2EB78F4E3E9E19FDE62C0993A57D7DAB7B2CA56788D7011EDE5E9BC5falsefalse - insufficient disk space 23542300x80000000000000001563924Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:36.859{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F33DDC1561B44B2398F68ACA61094ED,SHA256=41246FBA34FE99694169251C6486DCB5359E6A1B12233A01C643A0F2CEEC891C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:36.117{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:36.117{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:36.183{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:36.183{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A722DD4EA02DCA3C65A4796B79CF133,SHA256=F84A153F9759AA42FF9D184DE82BD9F233CFF2924BE5AE1FDCE1F0FDA303C669falsefalse - insufficient disk space 11241100x80000000000000002530267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:36.183{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:36.183{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F9E55746114FCD844A3445B346B78D,SHA256=8766149EC19ECB3553CDEBA9DFA4545B7914B131D238B375A78C1548033C5920falsefalse - insufficient disk space 23542300x80000000000000001563927Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:37.864{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F4ACB5DABFE28C2CE9829836C82B3E,SHA256=C44C29FC6F217655F7DC5461BFCAB31528BD0BDC6566F9C7E00B41DEC8015434,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002530275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:37.957{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002530274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:37.887{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:37.887{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C705D1A89A2DECB3E461D91D0F7EAB4C,SHA256=E1561E398ED3362EB5C22D361FC7B90F0DF497DC9A69F8CD25457B6A9B9C459Bfalsefalse - insufficient disk space 354300x80000000000000002530272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:34.649{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50767-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001563926Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:37.118{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563925Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:37.118{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563932Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:38.872{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E2E74EF258359F33037637564969A8,SHA256=B016E2FDA86EEAF075BA798BB39634AF8CCCFC952066FA77CD406F994B39B5E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:38.959{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:38.959{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A722DD4EA02DCA3C65A4796B79CF133,SHA256=F84A153F9759AA42FF9D184DE82BD9F233CFF2924BE5AE1FDCE1F0FDA303C669falsefalse - insufficient disk space 11241100x80000000000000002530277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:38.890{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:38.890{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56020185348FC2A982F8917B8544D552,SHA256=FFFB3095D54FBD80A4A059CBD04800675853D722EBF4396524F1EC4600C9E7A8falsefalse - insufficient disk space 354300x80000000000000001563931Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:32.565{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22377-false10.0.1.12-8000- 10341000x80000000000000001563930Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:38.119{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563929Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:38.119{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563928Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:38.078{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79116DCE493F6FC963864553A715041,SHA256=E036B6A382139BF05AF9D53B0D9EF47B9EE78094B8F14B5B58F700FE5E439505,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:39.892{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:39.892{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0949930EF2734C79497BAF7D3ADACD3C,SHA256=3C2D3BCDE4C90721351CFC7BB54F0778789606646B1E4AD04E9E6F37B3A73206falsefalse - insufficient disk space 354300x80000000000000002530280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:37.425{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50768-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563935Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:39.883{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6BD554537927CC92F17B0D5B36D100,SHA256=4E33DEDA101D1C2EAF362001BF6B1FD4EA45C5A699F61EDB16BDE442E5C9E604,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563934Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:39.119{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563933Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:39.119{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563939Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:40.892{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9040785AF8D60CC0D695ADFDCFDCDF9F,SHA256=184FB0B4C0401964555F3426A16B7B69023ACB4B17D589CCDCB4694D4246755A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563938Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:40.587{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CDCC9B1D2F190DD8C3DD0FFCCE15CD3,SHA256=1F38FC1E5038E18B924681EAEBC22F7A46A897CDE3D90F5553C837AA30878440,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563937Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:40.120{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563936Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:40.120{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563944Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:41.897{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B937FD1EE2454694C599A14F2BF1CE,SHA256=3D08767B63148F4EFBC30DAA6FC0FF8C53CE7FCBEC6D435C947045CC99BBE42B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:41.433{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:41.433{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=556DA48051BD68ACA054DD32440D2694,SHA256=B967350CD14DDBA441222478E89AED99C7B4E3EE6A7C06E835BF90D71130689Efalsefalse - insufficient disk space 11241100x80000000000000002530284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:41.013{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:41.012{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629274D50FC8C5B75C780AA3296B107D,SHA256=3ADF5AF39E945EDE7AA2E06D3EEBBA15B048B24D98891E4793463AAEDDB4DE7Dfalsefalse - insufficient disk space 354300x80000000000000001563943Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:35.758{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22379-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001563942Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:35.073{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22378-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563941Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:41.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563940Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:41.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563947Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:42.904{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9F2A33BC3AE867CFEFD782BCA468BC,SHA256=864F13037AD3F1A38CFE4D1E57B14E21EC8AC2F7D485C337B59AB3B48400AC07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:39.680{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50769-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002530288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:42.015{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:42.015{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276D976F5F880C726CBF558D0411F8C5,SHA256=C3501BEDE868314C7962BD9214D6B38D4D37345E6408AB8BA5025FBD41F63628falsefalse - insufficient disk space 10341000x80000000000000001563946Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:42.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563945Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:42.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563952Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:43.909{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86B4CBBB4E6B1A5A4785EFC3D4EDB2E,SHA256=AF7D27FA818B86AE82DA372C559975C5E10E4150C9C6FEBE12C85D3C097371EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563951Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:37.719{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22380-false10.0.1.12-8000- 23542300x80000000000000001563950Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:43.222{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE94C3D3030DA6CCC92B1AF6A466478E,SHA256=5F360308DCA5A70250AB7CC624AA43892B73ECAC1822FB5FE6E33E561717CE55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563949Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:43.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563948Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:43.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:43.754{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002530292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:43.754{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000002530291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:43.018{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:43.018{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3608225C3CED5E2896E9F0368226FBAB,SHA256=935E2ACD2BA8B0E5795625A865FB9CFA12A469162BF421308AC5E86E5053EB0Afalsefalse - insufficient disk space 23542300x80000000000000001563955Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:44.911{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509273145288082656EAC36FA6337CDC,SHA256=43ECCA931A9212B9C94DBA6F5EC8A9BB2CD6709D1043BF2B8B1ECDF9A8EAEA53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563954Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:44.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563953Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:44.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002530309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002530308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x10939ba5) 12241200x80000000000000002530307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000002530306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7379d-0xec179494) 13241300x80000000000000002530305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d737a6-0x4ddbfc94) 13241300x80000000000000002530304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d737ae-0xafa06494) 13241300x80000000000000002530303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002530302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x10939ba5) 12241200x80000000000000002530301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000002530300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7379d-0xec179494) 13241300x80000000000000002530299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d737a6-0x4ddbfc94) 13241300x80000000000000002530298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:44.920{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d737ae-0xafa06494) 11241100x80000000000000002530297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:44.741{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:44.741{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFDB3B951F3A7B1673C8F5C4387A432B,SHA256=3E9D5BA4228960C03ECD564C7D5F946964C28D8E241B8E9B7EDA36DEAA709037falsefalse - insufficient disk space 11241100x80000000000000002530295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:44.071{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:44.071{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2B8A4280FD9F626935D9FFCADE0D0A,SHA256=7EF5CEDD4EFD8A829CE0B8E78EDB56DE94DD5A9088525562FD838D267F1F9948falsefalse - insufficient disk space 23542300x80000000000000001563958Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:45.918{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED4631259ACBF84D89DA24D5E2D25ED,SHA256=0C441A05EEF09886A0B41025735588CF797D8F6DA1448FC50FC36A0B7E3B2222,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:45.158{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:45.158{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE1339197841DA5EAFAD7895AC90F2E,SHA256=8EE07B606288FB3CBDAA40553F4C617A86C453F8C4FB5465619173DBB54BE3F1falsefalse - insufficient disk space 10341000x80000000000000001563957Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:45.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563956Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:45.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002530310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:43.207{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50770-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001563961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:46.927{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D4B228939F6C37124BB91766ECC5CD,SHA256=C5DB0591F2507468AF8F81715217B36259A6DEE1AFD9F5C129325533D0199653,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002530361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.661{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.325{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.325{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF8FFCEB77C296A6B0ECD1B725826F6,SHA256=58C7A5C937CC9B2B60FD277F8D0C73F398ADB406941912CA701E2DAE1A140D2Efalsefalse - insufficient disk space 10341000x80000000000000001563960Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:46.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563959Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:46.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.260{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:46.260{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7EC80503CBE9B8E3327DCD4236F842B,SHA256=96AAD160E31E21B3D352B92F0C4E6511AB3CD1073D89C0D46D7C6071C330C204falsefalse - insufficient disk space 23542300x80000000000000001563964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:47.930{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CF01980E79C21D15AAACAFA50EC24C,SHA256=29DA46C41D4FF1819F25495A15F82D66DD6840F53CB56AE11AC7E8E5F56EED14,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002530374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:47.964{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000002530373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:44.692{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50771-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 12241200x80000000000000002530372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:47.880{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000002530371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.748{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7D969ACC421A0008EF70D8B777F37A0E,SHA256=DDE1236138BADC4CF4BB9E033B0858FA91495A895634E024433037E556CEE0D9falsefalse - insufficient disk space 11241100x80000000000000002530370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.463{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.463{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9312BC92A9A639C68079480307E8C4EB,SHA256=4B6CF24B59CF63ACEBC10AF09A8940A6EAE6D142091CE4421FC7BE21D7A2A7EBfalsefalse - insufficient disk space 11241100x80000000000000002530368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.463{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.463{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D372FB47376C230673256D1C7B64DB,SHA256=FCB19CB2F655BE0C12114FD262FF3330AFB43B563CAD0DFDDEA80782C8F47121falsefalse - insufficient disk space 10341000x80000000000000001563963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:47.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:47.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 24542400x80000000000000002530366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.278{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe2user: WIN-HOST-5\Administrator hostname: mj0b0drgMD5=A92A04E3DFC7A9382007D583128C638C,SHA256=7C443F903950206D0985B7D93FEF272E64CD9C805C3BDC1834313E9F412BCB43true 10341000x80000000000000002530365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.278{21761711-83AD-607D-0C00-00000000BB01}7247672C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.278{21761711-83AD-607D-0C00-00000000BB01}7247672C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeC:\Sysmon\CLIP-A92A04E3DFC7A9382007D583128C638C7C443F903950206D0985B7D93FEF272E64CD9C805C3BDC1834313E9F412BCB432021-04-22 18:35:47.278 10341000x80000000000000002530362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.278{21761711-83AE-607D-1D00-00000000BB01}19605108C:\Windows\sysmon64.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:48.913{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:48.913{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBEAB145F7BE2462A2BAEF51910726E0,SHA256=B2A62CBD5F70AD0EE4C041A9CF0D28F86FF5E0EE04110515BA7E491C6976452Cfalsefalse - insufficient disk space 11241100x80000000000000002530376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:48.613{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:48.613{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063C315B6CE113C3F49C5399A9E57125,SHA256=B2B1606566B272CE0F9AA25AF618853E7BAD9964E31F6B9445763C91C48C6121falsefalse - insufficient disk space 23542300x80000000000000001563967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:48.936{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3DE8D741B15C3104C3E68B14987C0F,SHA256=B65365810E3CEBF268EB118D9F60665EA4F56E3E685B6F4C03198F382BC493F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:48.123{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:48.123{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002530382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.433{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50773-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002530381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:47.349{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50772-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002530380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:49.735{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:49.735{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFB0377E9D27820A3264028125CFC9F,SHA256=FFD184BDF130E782234F9DDE0C7FCE9DCF4FABF07E2D3BD307EF08C0BC7EBC50falsefalse - insufficient disk space 354300x80000000000000001564037Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:43.608{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22381-false10.0.1.12-8000- 10341000x80000000000000001564036Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.454{761B69BB-818C-607D-1600-00000000BA01}13046212C:\Windows\System32\svchost.exe{761B69BB-C205-6081-3486-00000000BA01}4596C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564035Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.454{761B69BB-818C-607D-1600-00000000BA01}13041328C:\Windows\System32\svchost.exe{761B69BB-C205-6081-3486-00000000BA01}4596C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564034Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.449{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-C205-6081-3486-00000000BA01}4596C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564033Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.444{761B69BB-84CF-607D-F002-00000000BA01}43804688C:\Windows\system32\csrss.exe{761B69BB-C205-6081-3486-00000000BA01}4596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564032Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.442{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C205-6081-3486-00000000BA01}4596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564031Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.442{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-C205-6081-3486-00000000BA01}4596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564030Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.435{761B69BB-818C-607D-1600-00000000BA01}13046212C:\Windows\System32\svchost.exe{761B69BB-C205-6081-3386-00000000BA01}3108C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564029Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.435{761B69BB-818C-607D-1600-00000000BA01}13041328C:\Windows\System32\svchost.exe{761B69BB-C205-6081-3386-00000000BA01}3108C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564028Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.430{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-C205-6081-3386-00000000BA01}3108C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564027Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.421{761B69BB-84CF-607D-F002-00000000BA01}43804688C:\Windows\system32\csrss.exe{761B69BB-C205-6081-3386-00000000BA01}3108C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564026Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.419{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C205-6081-3386-00000000BA01}3108C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564025Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.418{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-C205-6081-3386-00000000BA01}3108C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564024Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.413{761B69BB-84D2-607D-F902-00000000BA01}10443560C:\Windows\System32\RuntimeBroker.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001564023Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.413{761B69BB-84D2-607D-F902-00000000BA01}10443560C:\Windows\System32\RuntimeBroker.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001564022Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.412{761B69BB-88A9-6081-637F-00000000BA01}58366304C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564021Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.412{761B69BB-88A9-6081-637F-00000000BA01}58366304C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564020Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.397{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC637A979561BCDFD3E7C8EBDCC433C6,SHA256=9CC826A0E997CA8C56E31958F97DA334F402107F31E49EEA810FE07345CB3E2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.389{761B69BB-84D2-607D-F902-00000000BA01}10443560C:\Windows\System32\RuntimeBroker.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001564018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.389{761B69BB-84D2-607D-F902-00000000BA01}10443560C:\Windows\System32\RuntimeBroker.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001564017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.387{761B69BB-88A9-6081-637F-00000000BA01}58362732C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001564016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.387{761B69BB-88A9-6081-637F-00000000BA01}58364724C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.387{761B69BB-88A9-6081-637F-00000000BA01}58362732C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001564014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.387{761B69BB-88A9-6081-637F-00000000BA01}58364724C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.383{761B69BB-88A9-6081-637F-00000000BA01}58364724C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.383{761B69BB-819C-607D-2900-00000000BA01}29204304C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001564011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.383{761B69BB-819C-607D-2900-00000000BA01}29204304C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001564010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9043132C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9043132C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9043132C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9043132C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.378{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9043132C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9043132C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0D00-00000000BA01}9046828C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.377{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001563986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001563985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001563984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001563980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001563979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001563978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-88A9-6081-637F-00000000BA01}58365696C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-88A9-6081-637F-00000000BA01}58366304C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.376{761B69BB-88A9-6081-637F-00000000BA01}58366304C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.375{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.373{761B69BB-88A9-6081-637F-00000000BA01}58362732C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.373{761B69BB-88A9-6081-637F-00000000BA01}58362732C:\Windows\explorer.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.124{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.124{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.110{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27ECCF0BA8F017D6B16B9A9EA8A111ED,SHA256=89B91AD99168728A77A0D3842B4CDB8189399C13597E7A5F514D9F36DD36F25D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.109{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ED3FAC2F3D8E21EFB4C18EBAF22ABCE,SHA256=765E5B2AE03960AFF14A26DE4FAFA82E65F43BEC502A96F058BBD39DF39D64B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:50.756{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:50.756{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A472165848680EFF017C85CCA59982,SHA256=2EFED9EEF46B85A4E1F3225C38D15BDA0D75508E1F81F9686A3B0044F8A2E673falsefalse - insufficient disk space 23542300x80000000000000001564041Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:50.430{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27ECCF0BA8F017D6B16B9A9EA8A111ED,SHA256=89B91AD99168728A77A0D3842B4CDB8189399C13597E7A5F514D9F36DD36F25D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564040Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:50.414{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B6077CF3F2B7250CFB6CA90551067C,SHA256=5E756F22D7712FB46511110DD253C6015CC4B65EB7D679A71661C8003B735F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564039Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:50.124{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564038Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:50.124{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002530396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000002530395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,17102418,7202269,41484365,17110988,7153487,39965824,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000002530394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000002530393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000002530392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000002530391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000002530390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000002530389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000002530388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000002530387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000002530386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.534{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000002530385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 18:35:50.533{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000002530384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 18:35:50.533{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000002530383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:50.533{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000002530406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:51.789{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:51.789{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47480DC83C9055127318467543C5EE88,SHA256=A1B10F43D45BD11628AC6AE89B1CE390D295951BF386B96BC63619A7C0260E5Bfalsefalse - insufficient disk space 10341000x80000000000000001564078Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.773{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564077Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.772{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564076Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.772{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564075Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.772{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564074Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.772{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564073Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.771{761B69BB-84D2-607D-FA02-00000000BA01}2796716C:\Windows\System32\sihost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564072Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.720{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564071Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.720{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564070Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.720{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564069Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.719{761B69BB-819C-607D-2900-00000000BA01}29204304C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001564068Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.719{761B69BB-819C-607D-2900-00000000BA01}29204304C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001564067Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.444{761B69BB-88A9-6081-637F-00000000BA01}58362732C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001564066Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.444{761B69BB-88A9-6081-637F-00000000BA01}58362732C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001564065Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.435{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564064Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.435{761B69BB-88A9-6081-637F-00000000BA01}58364696C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564063Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.435{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564062Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.434{761B69BB-88A9-6081-637F-00000000BA01}58364696C:\Windows\explorer.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564061Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.432{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564060Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.432{761B69BB-88A9-6081-637F-00000000BA01}58364724C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564059Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.432{761B69BB-88A9-6081-637F-00000000BA01}58364724C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564058Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.431{761B69BB-88A9-6081-637F-00000000BA01}58364724C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564057Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.430{761B69BB-88A9-6081-637F-00000000BA01}58365696C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564056Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.430{761B69BB-88A9-6081-637F-00000000BA01}58365696C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564055Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.430{761B69BB-88A9-6081-637F-00000000BA01}58365696C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564054Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.430{761B69BB-88A9-6081-637F-00000000BA01}58365696C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564053Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.185{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564052Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.157{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C207-6081-3586-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564051Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.156{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564050Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.156{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564049Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.155{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564048Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.155{761B69BB-818C-607D-0C00-00000000BA01}8446724C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564047Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.155{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C207-6081-3586-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564046Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.155{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C207-6081-3586-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564045Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.155{761B69BB-C207-6081-3586-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564044Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.139{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04232551C6D7B7F6E49C1C32D92ED1DA,SHA256=CBBBF1398624436243A9F9C694EBD2CDA5F8947AA154385878A5A702CA343006,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:51.257{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:51.257{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FA0AB2A8631203F6DFB28BA6A2B34DA,SHA256=0E88AB9E14C9FFF688213333D46D42BFD572E9E2D088A773473DCE05D5574FA4falsefalse - insufficient disk space 10341000x80000000000000002530402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:51.240{21761711-83AD-607D-0B00-00000000BB01}6283436C:\Windows\system32\lsass.exe{21761711-83A4-607D-0100-00000000BB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x80000000000000002530401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:51.236{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000002530400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:51.235{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000002530399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:35:51.235{21761711-83AE-607D-1400-00000000BB01}480\lsassC:\Windows\system32\svchost.exe 10341000x80000000000000001564043Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.125{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564042Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:51.125{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:52.892{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:52.892{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B456E695834778E740ECC0E467C2ECAE,SHA256=01DB2CA0C56C43FB51D4DBF0307573B17D7FCA70243426CF7D8195B97FB76D11falsefalse - insufficient disk space 354300x80000000000000001564085Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:46.745{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50775-false10.0.1.14win-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001564084Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:46.674{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22382-false10.0.1.12-8089- 23542300x80000000000000001564083Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:52.560{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AFD5F37F13D8BAFE4843ECD90D72E4,SHA256=5C719C124BCAE1B57825DBD3A49AEA1170BA5A6D36D625168A10A3723A922471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564082Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:52.280{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C3BB4BF1C58440CA7E061BD9C6504248,SHA256=97B814124BB4FFD333F4748D8B0EA1E8DA9E31569F3D6D7662E34D78A678E043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564081Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:52.160{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A28616D131BD430EFEC3DF543E64FC,SHA256=303C8E8CFDCAD67E8ED640A7BE9A2960D9EE593756EBFAF78296A55304C31A1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:49.723{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50774-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001564080Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:52.126{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564079Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:52.126{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:53.894{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:53.894{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B738E4E342FDF41162088B04A240AA,SHA256=9E1D01FEC53B0C9AE6FC49A6B008A8C1434C9E2A67998BE01A9AC88DBC2FAB36falsefalse - insufficient disk space 23542300x80000000000000001564088Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:53.219{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E001C57D628ED0FDD901FC7F32BBB3,SHA256=000486C0E884FA48D56A719FA234A348858C138F5F3CA392599969EB005761D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:50.707{21761711-83A4-607D-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50775-false10.0.1.14-445microsoft-ds 10341000x80000000000000001564087Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:53.127{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564086Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:53.127{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:54.897{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:54.897{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C70BB33DB67BE86A816316B2D85E5B,SHA256=4DD7B0FB69080671DE8620BEEC34147C3A892301D741CDD81A8AE38BA24DFF59falsefalse - insufficient disk space 23542300x80000000000000001564091Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:54.224{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C055E094DDC8C6B5BF5E6AC0EFE689,SHA256=768209D391BE35765AF1922E6A4CF0D6CDA559DA84E5627C5BC03580E7DE6239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564090Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:54.127{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564089Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:54.127{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:55.952{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:55.952{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F4F783DA60A1A023C99879A58E1D37,SHA256=7CE3A95228FE4DE44A4D87A88E15FD954030D7574935CC5C79DF2D029E9DD168falsefalse - insufficient disk space 10341000x80000000000000001564113Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.778{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C20B-6081-3786-00000000BA01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564112Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.776{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564111Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.776{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564110Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.776{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564109Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.776{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564108Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.775{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C20B-6081-3786-00000000BA01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564107Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.775{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C20B-6081-3786-00000000BA01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564106Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.775{761B69BB-C20B-6081-3786-00000000BA01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001564105Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:49.512{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22383-false10.0.1.12-8000- 10341000x80000000000000001564104Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.261{761B69BB-C20B-6081-3686-00000000BA01}31121380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564103Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.230{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB49350A76467039F20AE8257D7D1EEC,SHA256=835CB57E437DB69C96301FB5AEB227B68F34778A776849807B9993DBE1C9B375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564102Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.128{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564101Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.128{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564100Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.114{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C20B-6081-3686-00000000BA01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564099Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.113{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564098Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.113{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564097Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.113{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564096Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.113{761B69BB-818C-607D-0C00-00000000BA01}8443996C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564095Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.112{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C20B-6081-3686-00000000BA01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564094Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.112{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C20B-6081-3686-00000000BA01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564093Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.111{761B69BB-C20B-6081-3686-00000000BA01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564092Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:55.013{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCBDF9CD80409E04911EB51E0DB6762A,SHA256=90004891D54A4FD40E48F62E08149FE71CFA2D42983A28170F7352F0CC0F014E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564135Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.871{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564134Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.871{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564133Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.870{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564132Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.870{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564131Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.870{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564130Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.870{761B69BB-84D2-607D-FA02-00000000BA01}27966820C:\Windows\System32\sihost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564129Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.716{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564128Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.716{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564127Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.716{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001564126Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.594{761B69BB-C20C-6081-3886-00000000BA01}9125560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564125Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.443{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C20C-6081-3886-00000000BA01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564124Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.441{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564123Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.441{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564122Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.440{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564121Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.440{761B69BB-818C-607D-0C00-00000000BA01}8444456C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564120Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.440{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C20C-6081-3886-00000000BA01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564119Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.440{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C20C-6081-3886-00000000BA01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564118Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.440{761B69BB-C20C-6081-3886-00000000BA01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564117Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.238{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E01193F16A482712A784C8B31965626,SHA256=23CB490E4545A0470BBE873F544E8F1B65AEDC8DB65FA92D8CDDBF5265BFF35A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564116Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.129{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564115Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.129{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564114Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:56.115{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDC93C0304AC3F28435A5B934D5A0C6B,SHA256=0A748D3D8DC91CD475458584E13920AA53024D7E25278AA5A064D99BCADFDF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564139Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:57.457{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5472947078D3BCC9C6DA4CBF9F50B0BC,SHA256=F96B70DB4F7613BE689397DF15109458ADF92D26A5D8DFB0E948DC0C13BE3BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564138Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:57.248{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330C1EBAF56DC7EE18468B0E314D3774,SHA256=825F175B064C21AB50245CD125DC6B0D1E760CEA42B09101E631FE8AA7BE04F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002530472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-83AE-607D-1600-00000000BB01}11085396C:\Windows\system32\svchost.exe{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002530471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002530469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000002530468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002530467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000002530466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002530465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000002530464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000002530463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000002530462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000002530461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}37485064C:\Windows\system32\conhost.exe{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002530459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000002530457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000002530454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000002530445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000002530444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000002530443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000002530439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.987{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.exe a -v500m -mx9 -r0 .\file1.zip 734700x80000000000000002530438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000002530437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002530436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000002530435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002530432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000002530430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000002530429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000002530428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exeMD5=AFC08CE359E79887E45B8460E124D63E,SHA256=A20D93E7DC3711E8B8A8F63BD148DDC70DE8C952DE882C5495AC121BFEDB749Ffalse-Unavailable 10341000x80000000000000002530426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.973{21761711-C14F-6081-B287-00000000BB01}7885324C:\Windows\syswow64\rundll32.exe{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+159f9b(wow64)|C:\Windows\System32\KERNELBASE.dll+159c4c(wow64)|UNKNOWN(00000000006838CE)|UNKNOWN(00000000006873FE)|UNKNOWN(0000000000687521)|UNKNOWN(000000000068767B)|UNKNOWN(0000000000682780)|UNKNOWN(0000000000687EDB)|UNKNOWN(0000000000681506)|UNKNOWN(000000000068880C)|UNKNOWN(0000000000695C9E)|UNKNOWN(0000000000695D46) 154100x80000000000000002530424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.982{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exeC:\Users\Administrator\Documents\7z.exe a -v500m -mx9 -r0 .\file1.zipC:\Users\Administrator\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=AFC08CE359E79887E45B8460E124D63E,SHA256=A20D93E7DC3711E8B8A8F63BD148DDC70DE8C952DE882C5495AC121BFEDB749F{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeC:\Windows\syswow64\rundll32.exe 12241200x80000000000000002530423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:35:57.973{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002530422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.202{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.202{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=001E5ADBEB41AC1CED800E09F01D3004,SHA256=14CA052AADEC83227E0BF97FCAB2DF9569CE0524CC051081F4DE694EC3F3D608falsefalse - insufficient disk space 11241100x80000000000000002530420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.202{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.202{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ABFBF25277782CCDF8FEA1C7F1B13A4,SHA256=284D774FDC0DCF771B6D660028FB39047C3BF09EC2781DD084A8F0CE76316B4Efalsefalse - insufficient disk space 11241100x80000000000000002530418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.187{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.187{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760F9139CA1E2256C4E7DA9702BA8EF7,SHA256=1FD9539646059511FC81683685021F6561B85BAE008363080AF3711E9873B7F5falsefalse - insufficient disk space 10341000x80000000000000001564137Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:57.130{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564136Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:57.130{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564142Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:58.257{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939508B89B8971EF976B2155CC0E2E06,SHA256=8B460B9BEDC1FBA28808D6CC2FC8E615317E1680B7BD9EBC8BFCCC6197B5FCEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.205{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.205{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DC38E0C08FEACB9497817157B3C8D4,SHA256=84F141ED4DF0B3C0D33665D0CD6E5A98A831840ABD63E9E0ED20D5C8C68B69D5falsefalse - insufficient disk space 10341000x80000000000000001564141Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:58.130{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564140Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:58.130{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.189{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.189{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88ECE875932BF94566D5B9DFAD4D668E,SHA256=37E0E6B7DA629A4EEC4D6812F1C8BA2EFC64469E489F5F99831E83B815DF8910falsefalse - insufficient disk space 534500x80000000000000002530494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.020{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exe 534500x80000000000000002530493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.020{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exe 734700x80000000000000002530492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.dll19.007z Plugin7-ZipIgor Pavlov7z.dllMD5=E7AE42EA24CFF97BDEAD0C560EF2ADD1,SHA256=DB2897EEEA65401EE1BD8FEEEBD0DBAE8867A27FF4575F12B0B8A613444A5EF7false-Unavailable 734700x80000000000000002530491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000002530490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000002530489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000002530488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000002530487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000002530486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000002530485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000002530484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000002530483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000002530482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000002530481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000002530480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000002530479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000002530478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000002530477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000002530476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C887-00000000BB01}4508C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000002530475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:58.004{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x80000000000000002530474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000002530473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.989{21761711-C20D-6081-C987-00000000BB01}3748C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000001564155Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.712{761B69BB-C20F-6081-3986-00000000BA01}56485312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564154Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.579{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\permissions.sqlite-journalMD5=460027F934AA688E3DC4C7D82955C691,SHA256=2DD8E6F0CF4D0DEAEF00C91A16740FFA52D115A58323B84F0F7B2C186A6871AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564153Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.570{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C20F-6081-3986-00000000BA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564152Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.568{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564151Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.568{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564150Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.567{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564149Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.567{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564148Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.567{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C20F-6081-3986-00000000BA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564147Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.567{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C20F-6081-3986-00000000BA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564146Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.566{761B69BB-C20F-6081-3986-00000000BA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564145Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.260{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AAEEDFBABC74D8472B245BC9AD60C5,SHA256=75A59731C4A8E11BED09BD41278542E5F947075466AF306C0489E0C356AB0A0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:59.260{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:59.260{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FC2393CB4DCEC0ACD49A02C3A485CA,SHA256=48AB6CE042F649F8FC8D28CC72B7D86C4CF32012D48AFECEE650E38F92A6F43Cfalsefalse - insufficient disk space 10341000x80000000000000001564144Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.131{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564143Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:59.131{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002530501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:55.669{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50776-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002530500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:59.022{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:59.022{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=001E5ADBEB41AC1CED800E09F01D3004,SHA256=14CA052AADEC83227E0BF97FCAB2DF9569CE0524CC051081F4DE694EC3F3D608falsefalse - insufficient disk space 10341000x80000000000000001564176Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.914{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C210-6081-3B86-00000000BA01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564175Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.912{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564174Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.912{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.912{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564172Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.911{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564171Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.911{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C210-6081-3B86-00000000BA01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564170Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.911{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C210-6081-3B86-00000000BA01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564169Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.910{761B69BB-C210-6081-3B86-00000000BA01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001564168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.392{761B69BB-C210-6081-3A86-00000000BA01}32286160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564167Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.269{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1382EC88E1FE7E29CCBBC88E6DD13E4,SHA256=23D5C32BCF3E54CAC51A6988C033A261834FBEA377F037F162B9CFE2888D27F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:00.279{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:00.279{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC2237F979F791C3178D8DF48DA6092,SHA256=6080DDBD5381A15855C2B79BA77870FEB6C0DDE27C75EEDBD494DBDA7D911A80falsefalse - insufficient disk space 10341000x80000000000000001564166Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.248{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C210-6081-3A86-00000000BA01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564165Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.246{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564164Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.246{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564163Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.245{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564162Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.245{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564161Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.245{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C210-6081-3A86-00000000BA01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564160Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.245{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C210-6081-3A86-00000000BA01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564159Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.245{761B69BB-C210-6081-3A86-00000000BA01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564158Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.145{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46FBEA9B3603BF50856A03CE4D7531C9,SHA256=A5889E13EEC3CA124B47BC0350CD36D485EF8A4AC0DAD5D8538DD14379D1214E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564157Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.132{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564156Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.132{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002530504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:35:57.444{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50777-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001564181Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:54.642{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22384-false10.0.1.12-8000- 23542300x80000000000000001564180Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:01.280{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305E0FC2D3A68ACE21E3E7775C9F197D,SHA256=4286EEA5EAA4BF5C90970A554A5783D2DB3656BC2178E544098743254EB9AF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:01.281{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:01.281{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D10FC2C759B4B3195DB4406520606C,SHA256=D1CC05F6A7A6ADFF3737324C24F79B1D0E2C0B1AC468BA23A1509D4D9DA29C47falsefalse - insufficient disk space 23542300x80000000000000001564179Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:01.248{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71C93863741BB396C6E7140378A1400,SHA256=879F8D841071190AEFCEEEA2A7CE2D9474504313A3AE4DE1F333DA2E5032EC96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564178Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:01.133{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564177Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:01.133{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:02.346{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:02.346{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9C684888C4764FD260CB0A5D8607AF,SHA256=399E33625B7E53A655554B4239D3EEBB11171AAFE72424D6FC50504DC4E0A1FFfalsefalse - insufficient disk space 23542300x80000000000000001564184Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:02.286{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800FD3215EF066A9D9A47276303DBEEE,SHA256=F68E7BCEB84C8A400E71682B67DD7089EB9AEFC2B254B0F1EFCDFD727DBE1E02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564183Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:02.133{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564182Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:02.133{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:02.230{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:02.230{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=119F201F428FC1CAA57A696D1CEB4D68,SHA256=B835B7DE3F1024F4D894B9D525604FC2428C1FBA670A95C3DD86891C51517A8Dfalsefalse - insufficient disk space 11241100x80000000000000002530515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:03.349{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:03.349{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D876F37B63BD1605AF9C9ADA5DD869,SHA256=A34D214B5D22D60DA47E567D77E1C951FCB25D7D0A654FD2AEA28FC46300C7AEfalsefalse - insufficient disk space 23542300x80000000000000001564198Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:03.293{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E87351A161B029B85A8260B204965C,SHA256=8ECA669E58C01FFBAA70FA24B00008A0749CC74FF80B3B4B519436DD6BB81D20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:00.681{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50778-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000001564197Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001564196Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x109c112c) 13241300x80000000000000001564195Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7379d-0xf714dacb) 13241300x80000000000000001564194Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d737a6-0x58d942cb) 13241300x80000000000000001564193Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d737ae-0xba9daacb) 13241300x80000000000000001564192Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001564191Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x109c112c) 13241300x80000000000000001564190Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7379d-0xf714dacb) 13241300x80000000000000001564189Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d737a6-0x58d942cb) 13241300x80000000000000001564188Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 18:36:03.255{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d737ae-0xba9daacb) 10341000x80000000000000001564187Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:03.134{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564186Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:03.134{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564185Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:03.104{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803028038A76E500A306E29AA02BE816,SHA256=780ECC74C86B909AE92C04F015C86D3D4ED1690124AD71788577587DD37247DC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:04.369{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:04.369{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74EF264D6DD35A3B64CF5020E6B4CB3F,SHA256=B4048528A96E894CF332300AFEC20001D1CA0B4145C2940F8F71F2652E754BB6falsefalse - insufficient disk space 354300x80000000000000001564203Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:35:58.795{761B69BB-818C-607D-1100-00000000BA01}92C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:d02d:b038:b054:4f9ewin-dc-982.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x80000000000000001564202Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:04.317{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7393BCCDED04651A56D698C4EA42E8DF,SHA256=CD821C4E8F04D1985E1BCC7E80CC3F88C6503F7B24BE727C81058106C007FAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564201Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:04.295{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA4B4B1486C22C309D7FEA1DA4AFB55,SHA256=42F91AA73CEFA9D3533F001AE4C6611150955A0165B8472C5D38CBBA926F9AA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564200Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:04.135{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564199Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:04.135{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:05.474{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:05.474{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0E07788AD1F32C214E79E836418A0C,SHA256=2F918864EA344BBDD403D42433D9967F44AC6B186294528E8E2798C1E33FC8D3falsefalse - insufficient disk space 23542300x80000000000000001564206Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:05.309{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650803F7A68BE771A85DDFA0F6731269,SHA256=B55113B9979AE0B7B4E17C90D8734C0C06AC3E6BAC37B14F8E8C3D509EB3856A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564205Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:05.136{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564204Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:05.136{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:06.494{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:06.494{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6CCFF8EC0411AFB20F909492D69B7F,SHA256=F3DCCBFFC9A6A6D59272B5A714A1CB716C52A204F02D46AF6689799EDD534DCAfalsefalse - insufficient disk space 354300x80000000000000001564211Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:00.532{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22385-false10.0.1.12-8000- 23542300x80000000000000001564210Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:06.312{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5B9E945E64741BA3570F7370809C8A,SHA256=27BDB240B6500216C62A80DE38EBD15E7D2B937BF9DA3AAB148646DED96525F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564209Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:06.136{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564208Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:06.136{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564207Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:06.031{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDBB0A95C5C51DA1B32731CE3C80D6F8,SHA256=26BF8A89CCEF3D33D3FE4EAF5F831719BBAF3F22EB8E8C4882B48D383E4706A7,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002530529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:07.997{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002530528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:07.897{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002530527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:07.577{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:07.577{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55ECAB90757A25F12A16DB913D9D7C31,SHA256=75E933D1BB193E31A485EF65B13087ADCE1FA33A632B5EBC83A2C273B3E6396Afalsefalse - insufficient disk space 23542300x80000000000000001564214Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:07.315{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E74F24379B2040A03564758AAC81A52,SHA256=BAF5D39B61B7B14B0A71CD156E6D189879F1E8A9B2C5A7DC2F34CFADB0DD9A0A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:07.376{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:07.376{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=710CD4BAD30AAA7246783020E82DFB6E,SHA256=3595396B8BC211BACCA46DC80550FA77B284F0E84B546E23CA1D689B2271581Bfalsefalse - insufficient disk space 11241100x80000000000000002530523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:07.375{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:07.375{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0111771A6496DB5C9CCDC6BD012A97F4,SHA256=69294615CDD53B0DD49E07108658875DD63AFED53BAFE04C56326DBDADA2C796falsefalse - insufficient disk space 10341000x80000000000000001564213Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:07.137{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564212Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:07.137{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:08.946{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:08.946{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=710CD4BAD30AAA7246783020E82DFB6E,SHA256=3595396B8BC211BACCA46DC80550FA77B284F0E84B546E23CA1D689B2271581Bfalsefalse - insufficient disk space 11241100x80000000000000002530532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:08.599{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:08.599{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44138D01CEC0C42E1D701DC58B5B80A1,SHA256=330C1A73D3B960ACD75B3BDB9030F643F5DD37ACA4F219BA2536F723C0649D7Dfalsefalse - insufficient disk space 23542300x80000000000000001564217Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:08.318{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF470693FD8225FED528B2861204136,SHA256=C3B3EFB30B3802811AA650D95E268958968E3D653F96EDE02810EDD25C006F82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:05.724{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50779-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001564216Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:08.138{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564215Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:08.138{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:09.601{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:09.601{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E87554907CD772D11890BB16B5A989,SHA256=8474D1486CF11CB0B21CD98A1317FA9D69B7D9184DD28CD520D8D09FB29B8806falsefalse - insufficient disk space 23542300x80000000000000001564220Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:09.327{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943D32A6839C00503C2F38F0DCE5215,SHA256=B8B49816E4194D2DCAAAA40439EC889C53463CC0830EF3669633A89377191DF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:07.366{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50780-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001564219Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:09.139{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564218Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:09.139{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:10.619{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:10.619{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DA3071379FFA5906691E5D932CF37F,SHA256=6939B7A4F98A7BA6DB6FFB14DAE432604F5AFE381B25ACA6FFED3AF46571744Ffalsefalse - insufficient disk space 23542300x80000000000000001564223Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:10.332{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C2C7CA64BA18959B80E81A16D10582,SHA256=E4CE43B1C1768267730790433AEE06DFB24602E618C04A4D6649D38FE527A62B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002530538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:07.466{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50781-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001564222Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:10.139{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564221Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:10.139{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:11.668{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:11.668{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AC19362D94AA40CB6D39CD30E7827E,SHA256=5E4B14BD37991DCFF2EFF59E78AD8F84DDDF2819FE9F009507AC8B4F1BFEA721falsefalse - insufficient disk space 354300x80000000000000001564229Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:05.659{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22386-false10.0.1.12-8000- 23542300x80000000000000001564228Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:11.341{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6F677D59F0C22F0E9801CF0CECF05C,SHA256=A66A216279BF38ACD41652BA4D9C20EF08D612EB8BA83169845D6E4C62937698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564227Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:11.161{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=133100B8BE8CAE292E136CD50E61DE94,SHA256=7FDE158D01021123FF6ED4BF78E87EF3752A4B42E49B7FB82A51B929DBBE4C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564226Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:11.160{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D78D134CCA1CDF1543F29CA99D8AE148,SHA256=63EC7772A35A708E940BF68FBD66823B1119F04D9985D0661683588C88498299,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564225Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:11.140{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564224Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:11.140{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.925{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.925{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC8BB8C39D92A9D7E20E5075F300694,SHA256=03281108E758711213152F1A85B4A3983C03F1FF377C5574DEBB8FEFB897A74Cfalsefalse - insufficient disk space 23542300x80000000000000001564232Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:12.362{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C119D78293D5A546F9DCE742F5A0835,SHA256=DC89C67E484E990E01B458F4028A06FBB1AC5EE441BD2D00E45D2E7E366DA769,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002530598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.524{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002530597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.524{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002530596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.508{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.508{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002530594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002530590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002530588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.392{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.391{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.390{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.389{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002530557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.389{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002530556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.389{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.388{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.388{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.387{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.387{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002530551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.386{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.386{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:12.371{21761711-C21C-6081-CA87-00000000BB01}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:12.370{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:12.370{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:12.370{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:12.370{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:12.370{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:12.370{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001564231Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:12.141{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564230Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:12.141{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:13.927{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:13.927{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5620F5FA83E06677E275DE2FDE780764,SHA256=BFD9A1F5BAC12B4DEED46DAC910843A28C31F1E2DEC11055A9D7BAD319AB4F31falsefalse - insufficient disk space 23542300x80000000000000001564235Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:13.370{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016AB623992FA59236897DEC851AD358,SHA256=D2C6155FFDBC97EC5A1B6AAF78009FE3655219ED345484AF6525CFA83AB046D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:13.056{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:13.056{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4EC627DEFC258EC1A89466536C174B8,SHA256=3E44AD58245DEC95932C4AC2E9A87CDBB60D0A03E2E672EC006019BD385B4D42falsefalse - insufficient disk space 10341000x80000000000000001564234Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:13.142{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564233Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:13.142{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:14.930{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:14.930{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EC3B3C2CFD048AFF1EE45881360D43,SHA256=2220292CD53C51C7D57BA8F2B5B3186C509594AFA14D20FCE38FE38404112CE7falsefalse - insufficient disk space 354300x80000000000000001564240Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:08.639{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22387-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001564239Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:14.373{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EC4021F3E165F1FA5B2A3CC5A3934A,SHA256=6087153288225298A9ADFD0041CCFFEB89A953042E72DF3EEDB252FEE609D87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002530609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:14.375{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RF10940eb2.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000002530608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:14.375{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RF10940eb2.TMP2021-04-22 18:36:14.375 254200x80000000000000002530607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:14.375{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\fthikrb1.tmp2021-04-20 20:22:02.3742021-04-22 18:36:14.375 11241100x80000000000000002530606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:14.375{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\fthikrb1.tmp2021-04-22 18:36:14.375 354300x80000000000000002530605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:11.507{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50782-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001564238Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:14.149{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=133100B8BE8CAE292E136CD50E61DE94,SHA256=7FDE158D01021123FF6ED4BF78E87EF3752A4B42E49B7FB82A51B929DBBE4C6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564237Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:14.142{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564236Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:14.142{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:15.963{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:15.963{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50A76256AB2C06178DC1DE261E98D24,SHA256=F14E9A7968E39A934B9B9FE256A04969052113F618943901F4D6A940AC9DBD44falsefalse - insufficient disk space 354300x80000000000000001564245Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:09.966{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22388-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001564244Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:15.468{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06A4339C1F735319A40D94136F0B7EFF,SHA256=0BD92DD3B5389D6983FDC783617B99B0941D16D52C7BCE963529E8ECBB50D0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564243Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:15.378{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C743742F9A8CFA1F330C0F8830D93A0,SHA256=DBD17BD113511594035FD76A3EFDBD5268704A83AB332830E884F7DC7B342206,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564242Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:15.143{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564241Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:15.143{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564248Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:16.385{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8134B34685FA5677CB0D867FCD87A905,SHA256=BAAB60D0BB41FB9DBB23C7C33E49D551E7EAAEB18EBE93EB0B1008B0F91A62C9,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002530669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.866{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002530668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.866{21761711-C220-6081-CB87-00000000BB01}32004600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.866{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.866{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002530665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.750{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.750{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.750{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:16.750{21761711-C220-6081-CB87-00000000BB01}3200\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002530661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.750{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002530659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002530654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002530639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002530627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002530622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.734{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:16.719{21761711-C220-6081-CB87-00000000BB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:16.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:16.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:16.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:16.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:16.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:16.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001564247Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:16.144{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564246Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:16.144{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564253Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:11.537{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22389-false10.0.1.12-8000- 23542300x80000000000000001564252Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:17.399{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D078180F87BB62764565D0505AB6D8,SHA256=37980E4D1187E26BC12C0A388A9BE5DF7CC3DE4D0491352D35B54CA70C2812F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.721{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.721{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71E0D6A4009936340AF789C05B1EDE1C,SHA256=17A19FCF016212CE6705999219D0512B28D1F23527E0E05A7084978315144427falsefalse - insufficient disk space 534500x80000000000000002530731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.567{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002530730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.567{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002530729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.567{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.567{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002530727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.536{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.536{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B7A61D1DA70B4312EFE0A518DD6F2C,SHA256=2105FA7D489E0786E65758ED6D4B9AA94723CFC0A435465BD88A0EF88FBEF801falsefalse - insufficient disk space 734700x80000000000000002530725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.451{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.451{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.451{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:17.451{21761711-C221-6081-CC87-00000000BB01}3636\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002530721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.451{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002530719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002530714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002530691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002530689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002530688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002530687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002530686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002530683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002530678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.436{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.421{21761711-C221-6081-CC87-00000000BB01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:17.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:17.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:17.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:17.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:17.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:17.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001564251Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:17.145{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564250Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:17.145{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564249Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:17.042{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8993891A8715D47937DEA97A54601D74,SHA256=629433AC83773E7ACBB2070EC40B07660353F739E3FF6DF3089FBD1CB8654746,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002530851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.971{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002530850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.971{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002530849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.971{21761711-C222-6081-CE87-00000000BB01}48605164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.971{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.971{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002530846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.855{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.855{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002530842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002530840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002530809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002530808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002530803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.839{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.824{21761711-C222-6081-CE87-00000000BB01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.824{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:18.824{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.824{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:18.824{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.824{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:18.824{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002530794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.485{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.485{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5092FE51B429776ED060151B32366E,SHA256=DF1B2CB98B9B008559CF9081B59EE9C09A3FDE90BE507D05B90C86AE6800438Dfalsefalse - insufficient disk space 23542300x80000000000000001564256Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:18.414{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81237A11978C8B10E00FFE735193873,SHA256=89EE55613E7EF3CBB80B087BD6A9355934298E7A25D6AA50551EEDB54AABB269,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564255Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:18.145{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564254Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:18.145{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.423{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.423{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5965AE1C4E3C698430D27EDA98E4784C,SHA256=925C1514F856D99880787BA3AB008BEC23C099100ADAFE9A6A57FE25059BA2FCfalsefalse - insufficient disk space 534500x80000000000000002530790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.269{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.269{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002530788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.269{21761711-C222-6081-CD87-00000000BB01}61005244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.269{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.269{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002530785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.153{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.153{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.153{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002530748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002530743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.137{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:18.123{21761711-C222-6081-CD87-00000000BB01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:18.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:18.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:18.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:18.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 12241200x80000000000000002530734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:18.002{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000001564259Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:19.417{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473DC18B95655E6F48AB1663C01EF03B,SHA256=37C4D2120B1FD0351A8E040228F595A85478BD25198D9C4CBCD6B20990F900CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.706{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.705{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D194C55CF118A128E71EA32D3CE35903,SHA256=5CEAF1101FEFCE5453D1A755CC95FB4EDA0A0F03AF2B8B04F49E2AF17304310Cfalsefalse - insufficient disk space 534500x80000000000000002530911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.672{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002530910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.672{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002530909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.672{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.672{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000002530907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.521{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50784-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002530906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:17.470{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50783-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 734700x80000000000000002530905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.557{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.557{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002530901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002530899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002530889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002530880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002530871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002530867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002530862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.541{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.526{21761711-C223-6081-CF87-00000000BB01}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:19.525{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:19.525{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:19.525{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:19.525{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:19.525{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:19.525{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002530853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.024{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:19.024{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71F7CC2E7F453B63D0DA035064285B1,SHA256=337D4D0DB5E8F692663C8D630624B7DCF72549EB5B5C7B28FDC939E597576F2Bfalsefalse - insufficient disk space 10341000x80000000000000001564258Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:19.146{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564257Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:19.146{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.659{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.659{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6AE76B5CCE57968093C41A414D92E2,SHA256=E9C5BB0B8E3ADE4A63A6CD91FCD48504A4CE99C01FEB885DD1343F59683209BAfalsefalse - insufficient disk space 11241100x80000000000000002530973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.543{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.543{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=304074322A8BF779E85A5508E0BF58FB,SHA256=08C5C3D2E3B7431EBD47E125359798A2462F0DDFA66E4771F6C161CF0B817BDEfalsefalse - insufficient disk space 23542300x80000000000000001564262Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:20.423{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB1A3413F077DADBB12CDAB86F90F52,SHA256=8CC9D54A8E93ABB422551AB30D3EF0ECA800EA573513D4B70FF3DFBA0C41F607,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002530971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.374{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.374{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002530969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.374{21761711-C224-6081-D087-00000000BB01}33564304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.374{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002530967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.374{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002530966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.307{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.307{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0B322EC7563CF554B712A0FC576D39,SHA256=6394B047EE48868D6C7130FAFAFF8A7674D3F476FDE865C2890200C411466C2Bfalsefalse - insufficient disk space 734700x80000000000000002530964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.258{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002530963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.258{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002530962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002530961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002530959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002530958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002530957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002530956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002530955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002530954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002530953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002530952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002530951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002530950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002530949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002530948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002530947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002530946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002530945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002530944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002530943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002530942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002530941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002530940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002530939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002530938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002530937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002530936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002530935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002530934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002530933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 10341000x80000000000000001564261Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:20.147{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564260Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:20.147{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002530931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002530930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002530929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002530928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002530927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002530926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002530925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002530924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002530923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002530922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002530921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.243{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002530920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:20.228{21761711-C224-6081-D087-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002530919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:20.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:20.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:20.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:20.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002530915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:36:20.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002530914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:36:20.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002530977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:21.546{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:21.546{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB196A155218F28CCDC36058730AB1F,SHA256=D8CC6DF3EE42BDA5B6447E963D36C887E0DB724AA3CD68555323155A19F29A8Dfalsefalse - insufficient disk space 23542300x80000000000000001564265Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:21.430{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA892E04E28BAD22331BBEC1C62D3D2,SHA256=95010B49053E51E9A1BF41266DA6A3C99042E55CA80A0E1DE62FF859B8BAB58A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564264Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:21.148{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564263Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:21.148{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:22.613{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:22.612{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8438FE988BA809FD88F526DE47221FC,SHA256=0D7551DB88400E094266415A146923C5D614A1EEF914ECFC671160979860CE28falsefalse - insufficient disk space 23542300x80000000000000001564270Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:22.439{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8A7F2F9C101728A960E44094347C86,SHA256=BD5879B925F7990677A83116A7024A7AF7BFB423233A3830183D0F5245CD52E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564269Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:22.186{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31C53B5F4106805AF4558E436D1D7FC9,SHA256=F1E9FF7F4E0A81177ED771BE8F04530A431D2FBAD1F67B118713F661C7B79EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564268Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:22.185{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF60114C99A83638520DE9621DADF755,SHA256=6AEF9CD727B521EFA8CFC08EA7729F697974CB6BF639A7BE71C7C5A2EA85FCBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564267Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:22.149{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564266Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:22.149{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:23.717{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:23.717{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7663285656B1C1A7A0CCD3F78487FA28,SHA256=73CA57DAA660F8164DF8E0D2860B4E5049C4D11E693AFB6B595CFC0C45C018B8falsefalse - insufficient disk space 354300x80000000000000001564275Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:16.671{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22390-false10.0.1.12-8000- 23542300x80000000000000001564274Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:23.558{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31C53B5F4106805AF4558E436D1D7FC9,SHA256=F1E9FF7F4E0A81177ED771BE8F04530A431D2FBAD1F67B118713F661C7B79EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564273Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:23.441{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFB29D768F9C64431B7D6807DB5CD5A,SHA256=6AB94ACC1A3A8453FBBF99CC3332072A46E47B4B66A9EF9A663687517556E715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564272Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:23.149{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564271Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:23.149{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:24.838{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:24.838{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDBC0B33A20DB7FC89936C04E804FC3,SHA256=C0A2B64DA7CCB918621E70AB9EAC679A4ABFF44692DBE125326949F58EBD562Cfalsefalse - insufficient disk space 23542300x80000000000000001564278Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:24.445{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DDFFB0B3CEDE11245C18C128759CCF,SHA256=974B811EB0C1A4B7F28DE05C4520F7664E45ADF7DE1FE5639E0BBE67F16B23BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002530986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:24.738{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000002530985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:24.738{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FB74B074050131ADAECF2962F48F348E,SHA256=F322BE6964D24F1B7801446E38B463C3DD5DDF2942C278BBDC19C401A6CE2BB9falsefalse - insufficient disk space 354300x80000000000000002530984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:22.565{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50785-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002530983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:24.116{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:24.116{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3791840C78553EF20B078F6BB96BE20B,SHA256=962D028A16399550D32A7AA3F2C48884A1F06054D3579E2D25B09A7B103F1C54falsefalse - insufficient disk space 10341000x80000000000000001564277Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:24.150{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564276Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:24.150{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:25.856{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:25.856{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83FF9DAEDC959BD72054D1C40D12BE1,SHA256=5CDBB2CD4AC9343E9AB23BC7C376119B25A40EDC223A34712615715AC1BC3419falsefalse - insufficient disk space 23542300x80000000000000001564281Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:25.459{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C610C89998B4F316D29047CC7595559,SHA256=6CDD33FE3289D8E98A5F0EBE5CA4488FB7379F06BC77BBFA4490F9DE288DDFE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564280Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:25.151{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564279Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:25.151{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002530992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:26.859{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:26.859{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FDEEA51969CBA1D2ACD6189E0DABE1,SHA256=AF46E915A27F0EA09944DD6BC5BC914007161C3618446A9B3A3B15800D1FFBE4falsefalse - insufficient disk space 23542300x80000000000000001564284Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:26.473{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8716749B89FC977EA966625F97D50A5A,SHA256=7ACFE5EB853081AAE714814D499A4B8F73D676825520544B9E86C3659DBE8A99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564283Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:26.152{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564282Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:26.152{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002530995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:27.908{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002530994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:27.861{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:27.861{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9A298A12D9421619D3F4385189168C,SHA256=5284F03155EC40317851DED56C3DD336C68DC6128570689FE559243F3A07BF00falsefalse - insufficient disk space 23542300x80000000000000001564287Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:27.476{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D60EA4D025C6063300F8713E94C399,SHA256=E8CD37E10BF8DF39FF042969CAB8ACD9309D97072B832EC8E068C82C42326916,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564286Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:27.152{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564285Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:27.152{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:28.948{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002530999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:28.948{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E297B0CEEDF3B896AE5D03B2E8F63C7E,SHA256=C23D99DB93709D4FD558A56CE931152BA280E680775658E6C288C81C1BD794D6falsefalse - insufficient disk space 11241100x80000000000000002530998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:28.928{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002530997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:28.928{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9405651F271BE4EAF924FD775C88412E,SHA256=003F067E397F6589C67CC20EA1A5B9C6564F4F9570534CFF25D11C25242BFA1Dfalsefalse - insufficient disk space 354300x80000000000000001564292Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:22.546{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22391-false10.0.1.12-8000- 23542300x80000000000000001564291Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:28.486{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A4603BE81612D209432196AAEDDD3E,SHA256=8BCAE9EB9A638CD0A2A7AED8A2A1E4A7B2EAB1376A63A92F319F96FBB5FD1D2E,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002530996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:28.008{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001564290Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:28.153{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564289Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:28.153{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564288Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:28.046{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=592FF2880C9190BA94EFC353A586C296,SHA256=334882C4B7EB49B333BF9FF5671D4EA44A1C6E0E3F1C714ED126F87F29DD211F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564295Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:29.490{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E268D5BEEE6C602E04CA25FA328CBE86,SHA256=379B5F148C984D5D581F0AD5AAACF90F59CE0EF785C1576C0D890612458802C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:27.477{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50787-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002531001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:27.377{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50786-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001564294Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:29.154{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564293Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:29.154{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564299Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:30.504{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A660AE6A3E63453F37158072449B3E6,SHA256=67D6717B415CC2FA078D0FE37EE13B7AE1E8973788F757812B5B466FCD661102,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:28.595{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50788-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:30.131{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:30.131{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43568B0A8162F871EE158B0F6FCC5C2A,SHA256=8E5954C7865231C08688B5B836541B85A2D6FA3EF36B5D0AC13C64C03155E65Dfalsefalse - insufficient disk space 11241100x80000000000000002531004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:30.066{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:30.066{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EEC78149ACCEF6F14C3CBDE566E2C5,SHA256=22476C70DA1C67C4E01BCEDC0659D6435B2377DEB9A0E24FBF5BDC7D0A2185DCfalsefalse - insufficient disk space 23542300x80000000000000001564298Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:30.315{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CFF3E6BAC03CB7E85EE39D5880AA65F,SHA256=37D36AEBFF66ABAA3D491D217E7852642AF5E23FAD144D5220C93F8A2283CDD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564297Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:30.155{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564296Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:30.155{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:31.301{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:31.301{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF705C45FFD90068249B96DC4371E2D3,SHA256=4405BEB3467555587B7DA7D959FB4812FF4DC4C6CB4304311AC7CE6CE5FE451Dfalsefalse - insufficient disk space 354300x80000000000000001564305Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:25.690{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22392-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001564304Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:25.690{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22392-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001564303Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:31.512{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449A66D17EE58F2872B13B18D0BF75B3,SHA256=8955278DC84B04A1DE291EB0C7F847CC59CAB75308BB5B46923022696765C43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564302Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:31.319{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887D79472602832742E8FB4B699BB266,SHA256=ADAAAAD215B317894171291BA8AA541D3057EA6A71361AF1D51E8903BE615B59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564301Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:31.155{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564300Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:31.155{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:32.503{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:32.503{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6485B753783AF1BF0331A4C2F1C142CE,SHA256=A2F8E0F8BBE5ED7A7B73BA15A9BC4095A1EBCCEDFEC94616ECFC67D4A5D3DEE4falsefalse - insufficient disk space 23542300x80000000000000001564308Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:32.516{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD2865B6EF05FA5A2508FF8B32E41E0,SHA256=AF452876EE11349CA7BBAC85DC06F7D3B03033A29A0F329D6C98B8499424FEF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564307Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:32.156{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564306Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:32.156{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:33.606{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:33.606{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C1EC20097F4F91BF921A0D00C9C81C,SHA256=41AD32D20C659CF88AC75AE43C0BEDEF94172544D371E1E4D91A000DC83467BDfalsefalse - insufficient disk space 354300x80000000000000001564313Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:27.674{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22393-false10.0.1.12-8000- 23542300x80000000000000001564312Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:33.519{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B01808DBC96343820EDC31A70F67A1,SHA256=88FAFEE452B90514590E004202AE474C7F3195A2586246F11F8985C51A3638CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564311Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:33.174{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16EEE5EBD123E03DCB400F7E28D9E36F,SHA256=2631484BF0A25559749D200C5D9F18A9EAADC3E3F6C4EE234E8033D9847756D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564310Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:33.156{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564309Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:33.156{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:34.609{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:34.609{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A21554EABFF04EA314FE4FD4C3879A4,SHA256=85E5A156B06F5DE7CA399F2E41E49590A38586E766A7BF788BD2EAB01D51EBD1falsefalse - insufficient disk space 23542300x80000000000000001564318Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:34.869{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67215F010921377713D4CFB29B8A8F90,SHA256=A762BC21B9C9BFCCAD5EC6F8D9925759C966D4BDE1C40B5A778870C3F6B671FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564317Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:34.524{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A69CA061043F8680FFCD2899B0CEB1,SHA256=8752097AC4A6A816A4D6C1002DCDDD66B0FFD25DEAD47C3AC8C46B96654DFAC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564316Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:34.333{761B69BB-818A-607D-0B00-00000000BA01}6326220C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001564315Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:34.157{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564314Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:34.157{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:35.644{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:35.644{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6053F49BD2BAEAB04CE92EC8EA0A0B4,SHA256=D635495CE416288E36BA6539253886E00838C8B0D6703B092F9618089E974ADBfalsefalse - insufficient disk space 354300x80000000000000001564323Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:29.835{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22394-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001564322Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:29.835{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22394-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 23542300x80000000000000001564321Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:35.535{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9210F5D35D635AE067D0052137ADE2AC,SHA256=3E2917A4AD19D440E078115443BFA996F811580FD3F3175DD1FC4E5F870EEE71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564320Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:35.157{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564319Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:35.157{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:36.648{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:36.647{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0BA82D60D723974C73C218CA2CD04E,SHA256=9F9BD031FD4D90D7D937445E9977205263150E552D49F167BE8A8EF16E06CC7Ffalsefalse - insufficient disk space 23542300x80000000000000001564326Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:36.542{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9182FA5D6B947DDC4FE4BBE519B3D09D,SHA256=9B142FB96F329828576056B8977896AF418E5D4F05D7247EBC3F0346A6789FAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:36.166{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:36.166{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7B7B0C9B3535E41A758C159866B3640,SHA256=D9A15593490DE5F92DE7E2DD325ACE86E4C2C845151CE3991B2287E8385C9FE2falsefalse - insufficient disk space 11241100x80000000000000002531019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:36.166{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:36.166{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5699299CF49116319D475C50D8803578,SHA256=E00F00929FF931FBFCEA54DCF75437FF2276E10EF57A5DE00779DDE5F074980Ffalsefalse - insufficient disk space 10341000x80000000000000001564325Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:36.157{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564324Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:36.157{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:37.801{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:37.801{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A664F4FEBF149634D16F2F4AA40D22A,SHA256=EA0193E654F744DA13E609F4661A41E86268F0C8BB43DBA83C292A711B1E7724falsefalse - insufficient disk space 23542300x80000000000000001564330Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:37.555{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AB6596B89520AC3E104E236F252685,SHA256=4F95CF713DFB8779EC70E99633CB7EBC1A55DAC9C3583969B7830F329E2D7126,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:34.612{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50789-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001564329Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:37.322{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ACEFEF3265ED00F2213D7FAA01BA308,SHA256=89A59EAA13988A9537E9681AC626EE122344AD045907A748200FA406CAF3E060,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564328Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:37.157{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564327Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:37.157{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:38.803{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:38.803{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0638B6CD33AD384EF18390A183891BCB,SHA256=9B9BC38DF0DD97DCE282411FB309BF1BA547F6F9BDEB8FAB3188D6BA92A9B5D4falsefalse - insufficient disk space 23542300x80000000000000001564333Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:38.558{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFECF1A134DA04977723023ADC1220D,SHA256=FEDAC816E8D5DAD1C13F2F7E8DA671A8772E2A9566697D077048CC8039CB52C9,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002531027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:38.017{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001564332Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:38.158{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564331Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:38.158{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:39.821{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:39.821{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC39A7CC20C357DF948412B8CD97E6E,SHA256=A7F0A3E6B0406AA4BD7C8FEA4099CF077065D64B9CADBC55C1F54883C0D48230falsefalse - insufficient disk space 354300x80000000000000001564338Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:33.562{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22395-false10.0.1.12-8000- 23542300x80000000000000001564337Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:39.560{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D4708C7F601FED2E66C1FD487FAA7F,SHA256=747396C4CA7C49D261E1FA2232D5EE19C64DAF0D0CF1B113CC208E5B92EB2600,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:39.035{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:39.035{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7B7B0C9B3535E41A758C159866B3640,SHA256=D9A15593490DE5F92DE7E2DD325ACE86E4C2C845151CE3991B2287E8385C9FE2falsefalse - insufficient disk space 10341000x80000000000000001564336Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:39.158{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564335Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:39.158{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564334Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:39.130{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D7C91098A94C1F97080A7F1617D9910,SHA256=9E28C606523A5FC60332D06094EDAC16ADEA237110E245B7D979E9A3CBA70677,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:40.892{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:40.892{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB8850C52E0432CC9228E1209C41E2D,SHA256=B36974CECFA90DC1971061CCE21DBC37DD8680DD56E305ABFD2CE5399255D66Bfalsefalse - insufficient disk space 23542300x80000000000000001564341Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:40.563{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F563B6089994468D4D6884C8CC424C98,SHA256=5471960EF8FD7CCFAC96A8ECF4BEF345FDAE7FC5DAADCE3E5A2A7207A6959ECD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:37.485{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50790-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001564340Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:40.159{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564339Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:40.159{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564344Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:41.566{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE40562D947995BB7455903856AB407,SHA256=DA1686C1EA996E443AE4615DD3EA05CC75A1A966E3540C2193329E92F8079436,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:41.178{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:41.178{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AEC106BCBBE3836FA665E4FB293C7BA,SHA256=85BDC537E6F33C87469F601DA6F5969B7C3860B538A58302C12DB0B4A278D5A1falsefalse - insufficient disk space 10341000x80000000000000001564343Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:41.159{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564342Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:41.159{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564348Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:42.819{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0318FB07CB7B091D6275990175E3DB1E,SHA256=B74E4AA31D399E9ADB4105BA810CD6AF9B92CB594F56B9E205A544007D881B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564347Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:42.570{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F03B492A625E8FA19DB8B7636C70C26,SHA256=89828374AEE44096E737A5716DB0B57D589E363B09D51B856BB39967F554CDB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:39.621{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50791-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:42.095{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:42.095{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12A0063292ED4FA8F9953635FDEAAC0,SHA256=35C6F62E48975EE326E08140251BD800DD0AC28DA04A4ED4CE95D11D5D1103A7falsefalse - insufficient disk space 10341000x80000000000000001564346Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:42.160{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564345Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:42.160{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564353Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:37.313{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22397-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001564352Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:37.311{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22396-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001564351Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:43.573{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E34D2478F0D1BA01BB37F5E7F47BD9C,SHA256=54B8A123CD4A4959564B773F9353872CAA5754B785C642D64CDFACC0953FC5AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:43.767{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002531044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:43.767{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000002531043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:43.162{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:43.162{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C28890031D322E95F3EDE1507D998AF,SHA256=DB749498D9582C31478C3239AB32E17A557EB64DD9C1F424A8721D17A85A0DF3falsefalse - insufficient disk space 10341000x80000000000000001564350Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:43.161{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564349Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:43.161{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564358Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:38.691{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22398-false10.0.1.12-8000- 23542300x80000000000000001564357Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:44.576{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D443726FAF8F263F1374D05056C2FF2,SHA256=8D0D5B4509D99C9E2751E08F62FBAF23CE7C2F675F0B010363102336F7303512,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:44.767{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:44.767{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF8F9C5F524DB7FC59EEA0D9CA48DEA2,SHA256=4A1C4E4561453977C03477F5E7D45A0230D1875A6C5E7076712611AF4BBCF9DCfalsefalse - insufficient disk space 11241100x80000000000000002531047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:44.166{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:44.166{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621A95D959CAC6F1ACD6E08374E625E5,SHA256=A95B2E5DAC6C1E35B20195B213E2D9DF2C7583D9D8CEDDB65B4ECFC76BEB12B6falsefalse - insufficient disk space 23542300x80000000000000001564356Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:44.192{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36B61D1E251AFE1CD34C10E73BAB0400,SHA256=B764B9EB00F9A9ECA093FBBC01A26864858305893C53EDBAE6F7AE3A0CE9C0AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564355Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:44.162{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564354Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:44.162{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564363Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:39.682{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22400-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001564362Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:39.439{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22399-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001564361Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:45.585{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F1DF0C44B78BE3A6652FAE0C388460,SHA256=E626ACEF4B14217D3951F24E35F338CD624C647E38A21F8854B950BA700CEFA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:43.230{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50792-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000002531051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:45.202{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:45.202{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12689488F420A65C62A237B1F4A13B1D,SHA256=3DDF6A13201C70909E7AE9F1F507C3B2A0D75E7C66585D75E62314CAC1100331falsefalse - insufficient disk space 10341000x80000000000000001564360Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:45.162{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564359Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:45.162{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564368Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:46.594{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDC983C2F513AA9A084963FCAD68394,SHA256=DC618EB81D2C8EB2667235C1547A906CF04D8AD4DFA8844CA0B8061F1C1FCEA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:46.321{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:46.321{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D755C0A0A6F155521471B779BA15B0CD,SHA256=9CFBCEBDF42BBE21D67623A62799F0670C125B297488E7B7C60E1A3A33465F49falsefalse - insufficient disk space 23542300x80000000000000001564367Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:46.373{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=68D88217FC294DE7371F3DE5114910B4,SHA256=75F0315477D6D452E5B9013A77FAD6925BA453E80737287573B9345A2AFF61C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564366Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:46.163{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564365Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:46.163{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564364Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:46.137{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD7F5D29B0A57A6660F57633045E56F,SHA256=F3A1908B4F9BEECFCC90D09F21AF166B373CFADB727926AA21C8B9E0CB6EB362,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:46.174{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:46.174{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A947DA3927B06FBBFC3388ACA4F7931,SHA256=3E6383B1F816283A2B90E07332572B1EF7203C35B790913E2332846C187C7252falsefalse - insufficient disk space 12241200x80000000000000002531060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:47.924{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002531059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:47.323{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:47.323{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE667243B14894D2F7B0E350474C49CA,SHA256=85EEFC4D93E9E60DD8C6732FD479B12B8731BA9759805542366C7A7F7C377E97falsefalse - insufficient disk space 23542300x80000000000000001564371Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:47.598{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30C455273A0C4631CEFD9B6187364E1,SHA256=98B996068DE51E120A7D61B6B564B647138883FF927369ACCA31E1DB5D55DC51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564370Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:47.164{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564369Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:47.164{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002531057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:44.633{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50793-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001564374Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:48.601{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94231D85AD91AEB2245A8BCEE520BE6F,SHA256=30FE17CC2D90465E357DCD83A1245F4E3F3860932D8D9E969B503CB4474858CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:48.927{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:48.927{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60A2776DB05D5A65CA8EDD80A531E96F,SHA256=61B63FFB0109C51AAD29363F2638C2E37BF5DEEB796BBE1AFE1316FAD7499F5Bfalsefalse - insufficient disk space 11241100x80000000000000002531063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:48.375{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:48.374{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6200F84DFFAD569413642677C666AAF1,SHA256=E736B8F0116A8D81035163EAB0BE5233BFC73F960CEC652E5224AC76AA7573A4falsefalse - insufficient disk space 12241200x80000000000000002531061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:48.025{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001564373Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:48.165{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564372Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:48.165{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:49.581{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:49.581{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ED88D9FBC5ADDD8FA0220B4F2541E9,SHA256=7720FB4B9BE29C135FD1EA7CFBFEFEFEBB938E1A9405D296944B67EBC8224BCBfalsefalse - insufficient disk space 23542300x80000000000000001564377Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:49.616{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD9230F9E51C9D6D9FDD3AF4A7B2D29,SHA256=87C3229E92878095762EC2EA3511D56802C984EE19CBF1426BC29F7E24999615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564376Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:49.165{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564375Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:49.165{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002531066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:47.393{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50794-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002531071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:50.615{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:50.615{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3606FF06DC6A60F92AB43025A0D98F,SHA256=6CCB4E01165EB882131035521D82CCBC047B6279090642595FFE45E2CF2C9DF2falsefalse - insufficient disk space 354300x80000000000000001564382Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:44.567{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22401-false10.0.1.12-8000- 23542300x80000000000000001564381Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:50.620{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5051BB208F1A4EA82B712A30B1961CF5,SHA256=D04125161886871863A0BA2E12362812876F86A5C64AD078C20060C9DA8D8EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:47.493{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50795-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001564380Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:50.166{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564379Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:50.166{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564378Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:50.108{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C775718064B2C3070FD7EB79591B7375,SHA256=A68AB37075831D14480D6F0FFF3E190214BEFD97D75DC2969C470B3C7184BE57,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:51.618{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:51.618{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2971F2AF7F792A12341C89D02DF8DB85,SHA256=5FF2BF021D5A1E14E640105D3547E0F348A4239E3F9F82165D8764428C68C92Afalsefalse - insufficient disk space 23542300x80000000000000001564394Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.627{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76692B9C36F3EB18EB3F1C254D222878,SHA256=E6685377FE573A137FECEBAFB463018F9DD7DA1531F3A34D87DC1AC3603D2908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564393Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.204{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564392Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.167{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564391Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.167{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564390Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.153{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C243-6081-3C86-00000000BA01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564389Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.152{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564388Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.152{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564387Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.151{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564386Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.151{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564385Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.151{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C243-6081-3C86-00000000BA01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564384Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.151{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C243-6081-3C86-00000000BA01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564383Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:51.150{761B69BB-C243-6081-3C86-00000000BA01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002531077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:52.620{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:52.620{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C48A6C387BE6F9205D4817C78D5C76C,SHA256=C7DAB388FBCFD5F76C5F707F93C4EEA2EF0E9E0FD63AE3DDEF86BB74DD24C2DDfalsefalse - insufficient disk space 354300x80000000000000001564400Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:46.690{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22402-false10.0.1.12-8089- 23542300x80000000000000001564399Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:52.631{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF07355062D13702136860166C106A5,SHA256=0FB78209F4CAC0931C51F9EC82DA4564307630629A19D4D4D994C7468E1B0A86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:52.119{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:52.119{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E4AC007A156430EF17A48AFF33C1A6A,SHA256=0DDB69C0786AD9C222F551E7F9C6016A96D227379737CF09C201CBF1E269287Afalsefalse - insufficient disk space 23542300x80000000000000001564398Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:52.282{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5A61FCCE1E9894AC0315AD0F52B0655A,SHA256=F87614F8123E9192CB1FD46EB6B574A0AB9864B88756D1AD8DC8520988C02102,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564397Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:52.168{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564396Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:52.168{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564395Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:52.164{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C569A5383E414EB7BBD3D8E4089F7B15,SHA256=2D4E1F92239E9800CE585B704537377FA4124F1CEFCEC43DDFA01383391ACE3A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:53.691{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:53.691{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088F8B58192653EBAB4BA41D6D287C04,SHA256=C5014B0F6C7E11E62007C2EEE58ABC5BD63EC710F895D01B27833CB0C32E05C0falsefalse - insufficient disk space 23542300x80000000000000001564403Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:53.638{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056D77BFEA920838B6DD8A89D8C77A08,SHA256=E1C1EE5AAEA9D40B85B4EE6DAE35FFA34A1BF11E1D262D771D97B2361330767A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:50.569{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50796-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001564402Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:53.168{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564401Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:53.168{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:54.910{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:54.910{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C9BDBAF7E9BF8243CDC86C5ED5D543,SHA256=DC402F17F91818B2F2180E3C10C15C84218FC501E97D75292FEFE0F5B7928F5Ffalsefalse - insufficient disk space 23542300x80000000000000001564406Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:54.642{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62F99241DA76F2B77984D7036295FF3,SHA256=DDDA54946058895562A04BE9A1C3658B19090447A3B0B7475D3595A01F4E0EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564405Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:54.169{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564404Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:54.169{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:55.912{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:55.912{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CA2A4318B8CC68490F43903D9231EB,SHA256=4C76BE9124B14CEE73E4E8DDEFF437E95D6BFBBB6F8CA543FA6BA8E74874A0D5falsefalse - insufficient disk space 354300x80000000000000001564428Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:49.703{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22403-false10.0.1.12-8000- 10341000x80000000000000001564427Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.771{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C247-6081-3E86-00000000BA01}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564426Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.770{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564425Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.770{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564424Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.770{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564423Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.770{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564422Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.769{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C247-6081-3E86-00000000BA01}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564421Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.769{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C247-6081-3E86-00000000BA01}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564420Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.768{761B69BB-C247-6081-3E86-00000000BA01}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564419Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.649{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FC78F0B14337ED443FCF9F44DBFD39,SHA256=8C6323483029874806705FC6BDAC18CCC4F87B6B6E3C780CDB56D0FCF289C35B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564418Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.249{761B69BB-C247-6081-3D86-00000000BA01}61886160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564417Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.225{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBAA5D3B986A9BFA703CAA9C6574964F,SHA256=D9DD1DC3BDEBAE47972BA1396EE5CF927D874D8EDA2119D1E429DF34220380FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564416Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.170{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564415Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.170{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564414Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.109{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C247-6081-3D86-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564413Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.107{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564412Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.107{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564411Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.107{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564410Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.107{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564409Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.106{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C247-6081-3D86-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564408Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.106{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C247-6081-3D86-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564407Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.105{761B69BB-C247-6081-3D86-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002531086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:56.930{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:56.930{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8CD9F21B1F41A9CCD86E27D83DA2B6,SHA256=ED7F5803424D668DAD3A831065434D5AFA75A21A380DBC1F0B380D5C2A3224BCfalsefalse - insufficient disk space 23542300x80000000000000001564441Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.659{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14753260AA549415FA75CDA921D7519,SHA256=5B184E2E69777F676831333EDE97468A45CA1F1F0BE6E3C4222B21A1848642D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564440Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.540{761B69BB-C248-6081-3F86-00000000BA01}56725960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564439Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.393{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C248-6081-3F86-00000000BA01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564438Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.391{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564437Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.391{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564436Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.391{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564435Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.391{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564434Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.391{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-C248-6081-3F86-00000000BA01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564433Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.390{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C248-6081-3F86-00000000BA01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564432Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.389{761B69BB-C248-6081-3F86-00000000BA01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564431Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.254{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=839E580843AC214A5C2853091CF37A74,SHA256=F4C0815443675F17C41C5711A0F4AC666E972932648FA5DCAA1C984F0D998AA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564430Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.171{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564429Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:56.171{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564445Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:57.662{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF0200C4DB8D2DBBE1600D1447CAF30,SHA256=B0B5C07DCE90B40123DA64F5ADF12608FA7A2CE5E4078D60F1DD78C6C459554C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:57.262{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:57.262{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0440A89B211C1856B3F0D1AD2C5BA1F,SHA256=BAEF5D4183D3E74E18630FAFC93EECCDD2B2F14C4FC85408B405E141A332C6C0falsefalse - insufficient disk space 11241100x80000000000000002531088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:57.262{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:57.262{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFE8760ED0EA97CE39375263EB2824AB,SHA256=B29ED5B92E52FE9877D53649A8D9574DCF57F4CFD676481279057BCAE19E46E3falsefalse - insufficient disk space 23542300x80000000000000001564444Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:57.391{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4795C0B3D4CBAF7F9CDF4F6D4B26BF0,SHA256=D34F664FB11A36DCD51901DC8A74E9E715ED52F2B52EAFF4BA3BDF199A7A2E00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564443Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:57.171{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564442Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:57.171{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564448Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:58.664{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48104493A096D9325C57645AA5E33EE,SHA256=1FAE37E845BEB6A524B71E885FA2EBC5FF7860DD4DE3F4C770DBEC3CE3775A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:55.713{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50797-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:58.048{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:58.048{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829FFAA2A3C26EFA1C00756EE5BC3C6F,SHA256=284702A865DAD9420AD42D34DA7160AF531A2D5779FD9CA84BBE87F79E248814falsefalse - insufficient disk space 10341000x80000000000000001564447Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:58.172{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564446Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:58.172{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002531091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:36:58.033{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001564460Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.701{761B69BB-C24B-6081-4086-00000000BA01}52246736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564459Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.669{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31A53B479B88E052BEE9FEEDD6AE21A,SHA256=DD5085868AC29003FEA0E34787BE6B7484A1FB1E61D5208603E6A940DF2F6EC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:59.082{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:59.082{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8BEF84238A0A045BF5D5E63CA18B67,SHA256=80A8D453A564133A9E459EB00040B6E42398F1A2F5028418850BCB9F82298885falsefalse - insufficient disk space 10341000x80000000000000001564458Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.559{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C24B-6081-4086-00000000BA01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564457Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.557{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564456Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.557{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564455Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.557{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564454Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.557{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564453Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.556{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-C24B-6081-4086-00000000BA01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564452Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.556{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C24B-6081-4086-00000000BA01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564451Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.556{761B69BB-C24B-6081-4086-00000000BA01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001564450Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.172{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564449Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:59.172{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:59.051{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:59.051{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0440A89B211C1856B3F0D1AD2C5BA1F,SHA256=BAEF5D4183D3E74E18630FAFC93EECCDD2B2F14C4FC85408B405E141A332C6C0falsefalse - insufficient disk space 10341000x80000000000000001564481Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.881{761B69BB-C24C-6081-4286-00000000BA01}53043112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564480Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.732{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C24C-6081-4286-00000000BA01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564479Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.731{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564478Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.731{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564477Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.730{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564476Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.730{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564475Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.730{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C24C-6081-4286-00000000BA01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564474Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.730{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C24C-6081-4286-00000000BA01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564473Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.729{761B69BB-C24C-6081-4286-00000000BA01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564472Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.678{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF095EA0FBE279139D01F153C62BE471,SHA256=BCF9E721150C1CFC6F0CD6D306406C5E2E62AC2DB793790B65A0D3F2F50A66EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:36:57.501{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50798-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002531100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:00.184{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:00.184{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FE11AAF4E05F4787A749D29B6EEDDB,SHA256=F91AED1025914E27F67107B394DC2D4F5A2E5492D15944501E62CA9A4FF2647Afalsefalse - insufficient disk space 23542300x80000000000000001564471Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.613{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03C1D7980984B7D267F4ECB95CE65AA1,SHA256=02787772899A3F2BDB69FA2925ABED3684B015EE91E8371B064B059A1105538B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564470Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.224{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C24C-6081-4186-00000000BA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564469Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.222{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564468Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.222{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564467Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.222{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564466Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.222{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564465Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.221{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C24C-6081-4186-00000000BA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564464Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.221{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C24C-6081-4186-00000000BA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564463Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.220{761B69BB-C24C-6081-4186-00000000BA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001564462Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.173{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564461Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.173{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564485Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:01.732{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C8246513967F122EEBCBB12201C67F8,SHA256=9F24C6F7BACAB6D035553CA91FC166DE08B94A9831FCC6B43CC59B8424E6ECBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564484Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:01.682{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34BDA69EB46D55F17E9E80ED5571616,SHA256=64713C39A8B5F47CC1141B1FA1D74FAF60EACB75F00C48444BE3F6012FBD9310,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:01.187{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:01.187{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38943A2B8A4296C59761C6B54760CBDC,SHA256=1453128F7D6FC3658AB3FB6A3F88DCCEB96C3E4CF7E3FEF8131BA46863C0D89Efalsefalse - insufficient disk space 10341000x80000000000000001564483Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:01.174{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564482Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:01.174{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564489Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:02.687{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F03D601170F2E7A917BAD1822D98C7E,SHA256=0C31DD39B980654135D3E43474680583C04CF6D0BC718E5690262FB3B59ED91C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:02.189{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:02.189{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A3C4E6F3C9B0AE4437E442E3D8CBD0,SHA256=8C7E8D2B25039C2D577FE623020896B12C0A29D556B2111D512C9C28A7670A89falsefalse - insufficient disk space 10341000x80000000000000001564488Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:02.175{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564487Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:02.175{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564486Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:36:55.584{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22404-false10.0.1.12-8000- 23542300x80000000000000001564492Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:03.695{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4F2DBBFE35CC4350558DD7E78A722A,SHA256=1A70A8A8E3C3C06C0A4C88E933DCC4BC9C55E346E7A905D0908492E180920653,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:03.213{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:03.213{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E9D476FBC53C8BBB7D7B5003C5058B9,SHA256=5626B8522F8C499328525372D3E604F1DD804B25E0E702AC53A3DF4418833E9Efalsefalse - insufficient disk space 11241100x80000000000000002531107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:03.210{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:03.210{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA24DA296FBC40576CDCEF3D672F737E,SHA256=100982FE64E378D77E0B1C310B18B4B5B3D8A0DE8B74BDC7469CED6FEB5BEA20falsefalse - insufficient disk space 10341000x80000000000000001564491Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:03.176{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564490Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:03.176{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564495Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:04.697{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57725C209DCC5E72E18DC5EFCF19EA20,SHA256=6FD8E7E6DC5F6B8F276B969B0AB7288B5F3339EEF9730AA8FE00A85BEC691820,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:04.263{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:04.263{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FDA132F481D6378106BE7CC62BEBEF,SHA256=4F2BD5794636B2DBE69FBC33BECA6CB6FAADC8352FF1D83C5FD97EAF79DFCB5Ffalsefalse - insufficient disk space 354300x80000000000000002531110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:01.676{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50799-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001564494Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:04.176{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564493Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:04.176{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564498Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:05.705{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A6D6FDB3CF33F11800A0B5CD744634,SHA256=4D2492FF78EA5FF3E44166E2C0F339BF09952261F7436F86FF4B3E7445629622,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:05.297{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:05.297{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDA7F4B6E3DB47AAA405AE9A7C40414,SHA256=788000137CD5C5A9D31E24A3F392990D71A01B5BF2599E035632B87CA8C6133Efalsefalse - insufficient disk space 10341000x80000000000000001564497Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:05.177{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564496Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:05.177{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564502Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:06.711{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE82A131FB78FC0A1147E30C376743B,SHA256=EC2D5C10AB2798797769A38D74A104870C181D0ADB453459AD9EEC458121FED9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:06.299{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:06.299{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69820F92C5E48191A348AFE1B0EFA441,SHA256=9D4416EE71CA5D652ED5DD4170CB0DD3F1E12DEFFD867FA56A375A535B85ECDEfalsefalse - insufficient disk space 23542300x80000000000000001564501Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:06.216{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F63DA2023BEFA518A63056BEF190D6AE,SHA256=571872633973D2E44245428FB540A63EC97620A6E67B8BA69337245EF6A680D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564500Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:06.178{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564499Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:06.178{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564506Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:07.726{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A361DBC8A1066CB81C438C3DF2EB41DD,SHA256=335D6CB3B650D3E525F7E9ABDB815C56CDB14735DD14B0BFBBDFA5188E83C2A2,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002531119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:07.940{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002531118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:07.301{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:07.301{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E188C21E412CE739316C6534FAB38DB,SHA256=37E26F8F85DC069EB7322AA39D5A07E7BD8175A567CB03F14A52EC320CBEA5E6falsefalse - insufficient disk space 10341000x80000000000000001564505Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:07.179{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564504Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:07.179{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564503Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:00.715{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22405-false10.0.1.12-8000- 23542300x80000000000000001564509Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:08.734{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343C7B5FD1CBDB08502C67A08CCA10E9,SHA256=7CDA8B7F86CB30E6F2C739A71A139E833A43C7C55694E2AF1864199B9A0F960E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:08.357{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:08.357{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469EF6ABFFA8F09D37BE861CCF737238,SHA256=8C735C75CC8BBE92BB148C7B6AD54E7A92B5C1C3F2A784166936ACF1D1905FF1falsefalse - insufficient disk space 10341000x80000000000000001564508Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:08.179{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564507Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:08.179{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:08.222{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:08.222{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33854E594AD564150203BFCEBDC17467,SHA256=6C751BF2238DCB74E7284183B1D13C049BE41E955136E302098E218F62FF8059falsefalse - insufficient disk space 11241100x80000000000000002531122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:08.222{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:08.221{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF8692D347FEDD3679DC74A0F63634E8,SHA256=50948BA5945A9C21767D2288596D5A98F0ADB2BBE301E8A54B0FB6FB5A55A486falsefalse - insufficient disk space 12241200x80000000000000002531120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:08.041{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000001564512Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:09.737{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC0158326D6CEFD5A540F354A46CB1B,SHA256=9917AD98CD527B3B88722F77F34257F0DBE5A236B684821A070AC3FDC2150426,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:09.460{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:09.460{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2833E50864059CC3B2DBD3B07DCA8539,SHA256=CBBC2F909AB645962C02A76699AD30CE9A8F1D93F57A8169E085AC2E3103BEE9falsefalse - insufficient disk space 10341000x80000000000000001564511Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:09.180{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564510Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:09.180{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002531129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:07.509{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50802-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002531128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:07.409{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50801-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002531127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:06.685{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50800-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001564515Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:10.740{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2B575A2D8AEA7B6E79550CF3916A9C,SHA256=044F143F17DC9A1CB167068B4444341764C119280D681D027D51936D2AE93871,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:10.478{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:10.478{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED568D047FE69248B157D2829E0B45C,SHA256=3063D786C2D159AF262D09BFF256417520679B684ADB3EF58A938B473F9AA409falsefalse - insufficient disk space 10341000x80000000000000001564514Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:10.181{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564513Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:10.181{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564519Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:11.745{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25909EC5F767DC7AAB4DCBA1FD62530E,SHA256=AB0A264AE19B3D7F3CF3598F53BE847D78134065CD6BA20259512AF4F6CBBD03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:11.580{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:11.580{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7AFEB6C8F106C64363762057872030,SHA256=4DFB1510CBB3611B8DAF132200D81C7F12E332B23F39F93B67A552206E47C7FDfalsefalse - insufficient disk space 10341000x80000000000000001564518Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:11.182{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564517Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:11.182{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564516Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:11.129{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3CA80201AB63AED0A0B69B8E7C9B3C4,SHA256=5EBBCBA980F0903E5C7DAFBAB1D78E5EA903CDDF6C4055A9929E0B9B8868DB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564523Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:12.747{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D88E3495BE96A261BB172E53E6D96D,SHA256=BA47A2994E4158DBD8115B5E35DCF548147B4C400964D0650E31E35775A21A22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.868{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.868{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF11B656153A3024BEA594709DB0F0B,SHA256=1464926ACAD40DF1EABE06E876863D298A5737C5184DD6B6082F905243BE8B11falsefalse - insufficient disk space 10341000x80000000000000001564522Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:12.182{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564521Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:12.182{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564520Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:05.627{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22406-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 534500x80000000000000002531191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.536{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002531190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.536{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002531189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.535{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002531188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.534{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002531187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.413{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002531186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.413{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002531185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002531184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002531183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002531182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002531181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002531180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002531179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002531178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002531177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002531176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002531175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002531174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002531173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002531172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002531171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002531170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002531169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002531168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002531167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002531166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002531165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002531164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002531163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002531162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002531161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002531160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002531159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002531158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002531157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002531156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002531155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002531154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002531153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002531152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002531151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002531150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002531149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002531147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002531146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002531145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002531144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002531143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.398{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002531142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.383{21761711-C258-6081-D187-00000000BB01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002531141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:12.382{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:12.382{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:12.382{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:12.382{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:12.382{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:12.382{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002531199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:13.917{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:13.917{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEB9109E50349B4560DA52E9F1AA192,SHA256=80D327B852681DF469A528BEB126092323FBF1BFD836C8CB2E7812AF14C26A30falsefalse - insufficient disk space 23542300x80000000000000001564527Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:13.752{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332BF6BB35193D7959FE4A8C8549280C,SHA256=F20F88F411E672D41B0782FF0BAA79D8340048A0A4735110652739F416C89B4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564526Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:13.183{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564525Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:13.183{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564524Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:06.603{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22407-false10.0.1.12-8000- 11241100x80000000000000002531197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:13.384{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:13.384{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C04947AD491DA1D8E2027AB85E405154,SHA256=65693A1EF5450BBC58DFB62D9A29F6EAA44F792BE54B6BECE8DF25D3E479A6F5falsefalse - insufficient disk space 11241100x80000000000000002531195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:13.384{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:13.384{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33854E594AD564150203BFCEBDC17467,SHA256=6C751BF2238DCB74E7284183B1D13C049BE41E955136E302098E218F62FF8059falsefalse - insufficient disk space 11241100x80000000000000002531202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:14.957{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:14.957{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A571039DC9DED73CBA88AFB2145A130,SHA256=2AFAA8F80AFD70B694132F7B605342B733AB4CE9B58735207A5D66EF32EF4613falsefalse - insufficient disk space 23542300x80000000000000001564531Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:14.761{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF9B271B2098E3BF280FF151C1D7817,SHA256=4FC02F28D13B0A0E4A84716D165CD24A60447A2028204505332CEEA2ABC49C84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:12.702{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50803-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001564530Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:14.266{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E50795AD70181AAF439BF9062824EFC4,SHA256=B55DA8605E03BCE50363C93A1890F3BA42A6573190A3BAD9974E8F231C63ECB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564529Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:14.183{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564528Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:14.183{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564535Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:15.772{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B860380E2201A520B1EBF803480CF7E,SHA256=524D8832BDA86A75C2D046E5E9BB97FBDCDF76684E9B7B7115B5803774173945,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564534Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:15.184{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564533Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:15.184{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564532Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:08.744{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22408-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001564541Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:16.781{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63205DC0DB3CB821C5A465503EB99E91,SHA256=1D891043D262A984B3573F75FFDC05F01C8A5DEAB12CE28DE09FE71502226C5D,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002531264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.724{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002531263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.724{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002531262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.724{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002531261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.724{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002531260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.608{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002531259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.608{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002531258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.608{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002531257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:16.608{21761711-C25C-6081-D287-00000000BB01}7884\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002531256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.608{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002531255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002531254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002531253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002531252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002531251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002531250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002531249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002531248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002531247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002531246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002531245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002531244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002531243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002531242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002531241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002531240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002531239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002531238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002531237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002531236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002531235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002531234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002531233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002531232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002531231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002531230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002531229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002531228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002531227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002531226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002531225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002531224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002531223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002531222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002531221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002531220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002531219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002531218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002531216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002531215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002531214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002531213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002531212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.592{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002531211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.577{21761711-C25C-6081-D287-00000000BB01}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002531210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:16.576{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:16.576{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:16.576{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:16.576{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:16.576{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:16.576{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002531204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.091{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:16.091{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD33150A1E6C4017CB96A386684257F,SHA256=BEAA93DAE5E99D2F6E79D3FF571B8588E450B1C8F738525CBF824B4027BA8E0Efalsefalse - insufficient disk space 10341000x80000000000000001564540Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:16.411{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001564539Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:16.411{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564538Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:16.411{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF109d2ee1.TMPMD5=FD9CA3B752C969255F9013E45601E2FF,SHA256=6B542E6C346BCD00B0E9E5182F5689C44912608F9BE79EE9E779CD8B01144944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564537Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:16.185{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564536Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:16.185{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564545Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:17.789{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5376F5A526F5EFBCA8CED67FC01D8E67,SHA256=56C8D2A5A57D03A8ED39C6C566A820E4EA14230CF2B36672FB35EB8581EFB726,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002531376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.995{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002531375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.995{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002531374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002531373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002531372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002531371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002531370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002531369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002531368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002531367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002531366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002531365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002531364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002531363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002531362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002531361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002531360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002531359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002531358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002531357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002531356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002531355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002531354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002531353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002531352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002531351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002531350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002531349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002531348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002531347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002531346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002531345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002531344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002531343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002531342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002531341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002531340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002531339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002531338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002531336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002531335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002531334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002531333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002531332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.980{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002531331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.965{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002531330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:17.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:17.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:17.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002531324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.579{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.579{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C04947AD491DA1D8E2027AB85E405154,SHA256=65693A1EF5450BBC58DFB62D9A29F6EAA44F792BE54B6BECE8DF25D3E479A6F5falsefalse - insufficient disk space 534500x80000000000000002531322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.410{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002531321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.410{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002531320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.410{21761711-C25D-6081-D387-00000000BB01}70244444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.410{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002531318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.410{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002531317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.378{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.378{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3328FADA98453C0578C58D1033298384,SHA256=FB01DDE12F9FE87F7BFD0944A9622C2758617A96DCDFB7729B62E3AABCC4BA0Cfalsefalse - insufficient disk space 734700x80000000000000002531315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.294{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002531314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002531313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002531312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002531311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002531310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002531309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002531308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002531307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002531306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002531305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002531304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002531303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002531302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002531301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002531300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002531299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002531298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002531297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002531296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002531295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002531294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002531293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002531292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002531291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002531290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002531289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002531288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002531287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002531286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002531285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002531284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002531283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002531282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002531281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002531280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002531279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002531278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002531276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002531275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002531274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002531273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002531272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.278{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002531271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.263{21761711-C25D-6081-D387-00000000BB01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002531270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.262{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:17.262{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.262{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:17.262{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:17.262{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:17.262{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001564544Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:17.236{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A742E0B5E0F73DAF44DF12F6CC134C6D,SHA256=0255B30C5EC1283CD5607656E28BC90E1ECE4CBBE6BF389BECB39C322202AD58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564543Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:17.186{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564542Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:17.186{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564549Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:18.793{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058D3BEAEA0C869D051193EB4BBA6AF0,SHA256=67F91E83905536510120D544B79250999F3915EC980A545BB92E1EBF20702951,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002531442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.813{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002531441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.813{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002531440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.813{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002531439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.813{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002531438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.697{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002531437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002531436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002531435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002531434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002531433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002531432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002531431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002531430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002531429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002531428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002531427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002531426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002531425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002531424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002531423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002531422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002531421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002531420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002531419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002531418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002531417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002531416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002531415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002531414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002531413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002531412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002531411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002531410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002531409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002531408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002531407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002531406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002531405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002531404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002531403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002531402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002531401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002531400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002531398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002531397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002531396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002531395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002531394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.681{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002531393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.666{21761711-C25E-6081-D587-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002531392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:18.666{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:18.666{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:18.666{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:18.666{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:18.666{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:18.666{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002531386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.412{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.412{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCA06C64DC59384306573A25EEE3916,SHA256=A585BB05EFB0E7ED252C0F41EEE6E7EDE1A3AB0FDADC25E3B98D67204695CCDCfalsefalse - insufficient disk space 354300x80000000000000001564548Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:11.735{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22409-false10.0.1.12-8000- 10341000x80000000000000001564547Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:18.187{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564546Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:18.187{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002531384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.111{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002531383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.111{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002531382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.111{21761711-C25D-6081-D487-00000000BB01}61163944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.111{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002531380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.111{21761711-C25D-6081-D487-00000000BB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002531379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.080{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.080{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8053C48678D95EC3DA4A8757EE0D7A,SHA256=05B68E60044D66AEB813BD7DEB69D4A052155973DC92F0B3D71D1BCCA1F7CE00falsefalse - insufficient disk space 12241200x80000000000000002531377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:18.064{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000001564552Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:19.796{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374300639C0579EE78C482683FFF0B07,SHA256=EDFC2DC6F7F8F2AFB24203DCAB607A189ACE806CD60AA6AAE1351D97173EF3B0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002531557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.900{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002531556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.900{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002531555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.900{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002531554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.900{21761711-C25F-6081-D787-00000000BB01}1788\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002531553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002531552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002531551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002531550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002531549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002531548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002531547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002531546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002531545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002531544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002531543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002531542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002531541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002531540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002531539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002531538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002531537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002531536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002531535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002531534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002531533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002531532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002531531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002531530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002531529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002531528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002531527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002531526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002531525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002531524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002531523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002531522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002531521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002531520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002531519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002531517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002531516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002531515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002531514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002531513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.884{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002531512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.869{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002531511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.868{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:19.868{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.868{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:19.868{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.868{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:19.868{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002531505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.668{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.668{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897F1E0C4C64763ED572075550E82A8B,SHA256=CBA53BB6614C6FAE252A8956CA5BCB7941596B6A52BF26CDB441E774B6BE6B21falsefalse - insufficient disk space 11241100x80000000000000002531503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.648{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.648{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C673A3E9F81F718077482E598116AE48,SHA256=8B1AAA27F6462E7C35D8C17A664D16B12C12F153AB3938BD033901C650AE2DD2falsefalse - insufficient disk space 354300x80000000000000002531501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.533{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50804-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 534500x80000000000000002531500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.499{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002531499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.499{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002531498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.499{21761711-C25F-6081-D687-00000000BB01}6967856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.499{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002531496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.499{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001564551Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:19.187{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564550Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:19.187{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002531494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002531493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002531492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002531491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002531490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002531489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002531488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002531487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002531486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002531485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002531484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002531483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002531482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002531481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.367{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002531480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002531479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002531478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002531477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002531476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002531475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002531474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002531473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002531472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002531471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002531470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002531469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002531468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002531467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002531466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002531465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002531464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002531463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002531462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002531461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002531460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002531459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002531458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002531456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002531455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002531454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002531453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002531452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.352{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002531451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:19.346{21761711-C25F-6081-D687-00000000BB01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002531450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.345{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:19.345{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.345{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:19.345{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:37:19.345{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:37:19.345{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002531444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.998{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:18.998{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4609545921644AB85F014F181306D4E5,SHA256=C033FC51310EF392EA7B2BE41B9C83840656D2639EEB1540862E69AD9DA13F47falsefalse - insufficient disk space 23542300x80000000000000001564555Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:20.799{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D2EFA258FBB498EF417B5BFFAC916E,SHA256=DE21B085619C4E21BFEE115E65663E73E3FC5F9B78B8547EBCF91770B392DA76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:20.771{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:20.771{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DE8EFB60FB3ABD799F50DBFC961F7A,SHA256=FB46D3F01ED7465E3C22EA76592DE61F3E8F9571FB7A7135C7C4BA930B253E16falsefalse - insufficient disk space 354300x80000000000000002531564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:17.733{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50805-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001564554Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:20.188{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564553Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:20.188{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:20.352{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:20.352{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC634F168CD6C46DF5899E778A01E519,SHA256=22B66840D7AECC36C8AF43C62F1670B7C6E9BCA2CD2A203AEE7A564C92097853falsefalse - insufficient disk space 534500x80000000000000002531561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:20.016{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002531560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:20.016{21761711-C25F-6081-D787-00000000BB01}17887368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:20.016{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002531558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:20.016{21761711-C25F-6081-D787-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002531568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:21.657{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:21.656{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0B514B7AF7F99F4FE1E8A6F8940838,SHA256=122EFFD8B0A8E5D7C72396AF67308456EFC1F988F05426EC254140CC1E3E35EBfalsefalse - insufficient disk space 23542300x80000000000000001564558Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:21.802{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133E78CB8EAB6409BD4425AD794FA9EE,SHA256=1F558ED7A83BAF8086561CD04DEABCF41204E328AFF26DA7D875E1E6539049B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564557Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:21.189{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564556Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:21.189{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564561Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:22.812{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73AB5732D83C4925C6E1B34A520B813,SHA256=8790A3187CC4E9BBE01B66FAEBD633B72EE83E0B206B260225EA31E8E3C97744,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:22.738{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:22.738{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3B6ABE6BA1B8BE1BD31C0F9E501B97,SHA256=265C3128DC2D1639BDA11138D611D4F5ABC571D60B36ADB891360C39E5583029falsefalse - insufficient disk space 10341000x80000000000000001564560Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:22.189{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564559Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:22.189{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564566Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:23.817{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7377B56535817A4102A16E7B7B918979,SHA256=A8AA44F64D65F91974124E25A8A343B4868979B3AEF0801E681A4DEDB4A84311,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:23.740{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:23.740{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855CFBC6AFA3BAEA84FA3EF20461162F,SHA256=6D5AF6A9C94A94EB4953F0FAAB8267D7A167BAE8F5B33FBDE10D1F2CD2628E60falsefalse - insufficient disk space 10341000x80000000000000001564565Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:23.189{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564564Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:23.189{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564563Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:23.135{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AEF1FBF56F236BDF203DB8E6BCD0E7D,SHA256=43BBB291BF5E42F77231D28B05BAE79F7C1EEDDE21C2C263CE666B03C5700714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564562Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:23.134{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D6C751A57A262C8CF6046F749BE53B,SHA256=BCC87C4AA60CE5DD20DADF414B1B905F72F55CF3C79466717E01D5BB8AB19A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564570Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:24.821{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA5028C92DB7741A9730E8B3467D692,SHA256=F22CE9AC777A0590C438C39E5518BF03B971DC9286C678E22AF4C76491E03DD4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:24.780{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:24.780{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9341D6863A7ABBEEC23A7D6746318738,SHA256=D546FA43742EB84AA147131B55DE433ADF35433E54E14266E603A44A14ED1593falsefalse - insufficient disk space 354300x80000000000000001564569Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:17.631{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22410-false10.0.1.12-8000- 10341000x80000000000000001564568Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:24.190{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564567Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:24.190{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:24.742{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000002531573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:24.742{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E99BFD6BB4BD63060DF665F8998A5754,SHA256=614F7655DEBA78C80D8692EE2E2106DB4C8C82A540157C8B7441555CDBD0EE4Bfalsefalse - insufficient disk space 23542300x80000000000000001564573Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:25.825{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16606BF5020961B3E98F164942B70F00,SHA256=944B9DF4F109152AF868F5FD0AAB5BE20F1A2463513D806E9A8151313C5D7150,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:25.798{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:25.798{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9DA6393FEA0A664328582F3E70B754,SHA256=2F269BD1539B2C505389E13286172CD12DF6DB95ED71390642428AE3927E55C0falsefalse - insufficient disk space 10341000x80000000000000001564572Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:25.190{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564571Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:25.190{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002531579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:23.509{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50806-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:25.081{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:25.081{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=011A0F35E2E41001C8F258AE6A444E83,SHA256=9AACB05599300ACB942DDFB15DEC01D2323E93A8A5B44FAF6A6A160C16B27158falsefalse - insufficient disk space 11241100x80000000000000002531583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:26.800{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:26.800{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B316B0F0A4AEB841D7E0976E40E79938,SHA256=AEAD612E5B3C75DBE747400CBF7F8240BADF5BEE223F9A4EBE6E42F78A7078F4falsefalse - insufficient disk space 23542300x80000000000000001564576Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:26.832{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD40A49F48B8ADAF2ACF757438F62F4,SHA256=6B9267DD95F2B63B26F825FE44787730102BD798E5284D716CD3352056B7F36E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564575Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:26.191{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564574Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:26.191{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564579Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:27.835{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D68EA29C36BB81B6E462E36978D077,SHA256=9328FFB0C0FBEADF5959E0C7F122EF8C2C20CCD8C9CF0808CCD414A5227CD939,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002531584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:27.950{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001564578Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:27.191{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564577Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:27.191{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564582Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:28.951{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706FD3FCDDC87D40D16323FEF8004150,SHA256=7DC0065E28ED7547060AECF089A26AAAFF5BACB1B85908A5B231BE5CD611FE75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564581Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:28.192{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564580Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:28.192{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:28.952{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:28.952{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F428C3D02B5812CD78325B65A17409F,SHA256=68EC70E5E9E7B190C894863D4ADBB94562D8C9ECE6774114BE4E122E3C2631B0falsefalse - insufficient disk space 12241200x80000000000000002531587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:28.069{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002531586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:28.019{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:28.019{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336A65290B8DECC951C2FD98F06BA623,SHA256=ADFBBDB62CDD710A1A6C8E3B8392E62E76F7A06E56870607A897F4EF6184DA45falsefalse - insufficient disk space 23542300x80000000000000001564587Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:29.957{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2E6EDED423329FF7E69E080D7BEC1F,SHA256=49F75EB916CDD454732946D2E8B023F1777CD91DA2FF0945E2F297AD68B25D54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564586Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:29.193{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564585Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:29.193{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564584Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:29.024{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA3F6CFE89D779F6042556F3FEA0BE5D,SHA256=B895172432063D84F59D2912B50259010AD366EFB5E0802A4430F00202C6B539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564583Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:29.023{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AEF1FBF56F236BDF203DB8E6BCD0E7D,SHA256=43BBB291BF5E42F77231D28B05BAE79F7C1EEDDE21C2C263CE666B03C5700714,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:27.537{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50808-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002531592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:27.418{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50807-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002531591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:29.070{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:29.070{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC123BAEEACCC3674B7845B58DC3175,SHA256=E32F7C07E123968B65A819DFDDA0B27DD0D188C5ADB584FB04AFB391B2137B24falsefalse - insufficient disk space 23542300x80000000000000001564591Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:30.966{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE207C1F4E97E9BC60E9388581A65896,SHA256=DB59864F2499014201DD4ED837AB84835E97C531A074035FDC803F7CF2195FCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001564590Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:23.519{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22411-false10.0.1.12-8000- 10341000x80000000000000001564589Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:30.193{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564588Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:30.193{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002531598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:28.521{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50809-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:30.092{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:30.092{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36B55556900C4052F31937EC1F4E850,SHA256=371DC8BAE2D9D7B3B72C849C6EF905080ED3B51D9F868B746643145F0E1330CBfalsefalse - insufficient disk space 11241100x80000000000000002531595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:30.075{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:30.075{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7989F67D54F54C5C2E19F16225FD3850,SHA256=CBEE0834153BD215E0435248D603C78190A8B91CC31CBD81B6E3E7A3D6F672E6falsefalse - insufficient disk space 23542300x80000000000000001564597Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:31.970{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1633F24235DBC6378FC358F6BEF0DF0,SHA256=5805DD64519E3C30CA8A04AA63270D80560E4D4D59B77CC4B819F623D651105B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:31.142{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:31.142{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEF7AC6E61376CF95E400C699555573,SHA256=1C7CACCB5A0141E7A3AA6CD266F6323CC59E67DF0D8EF779BB2B11D51ED334D1falsefalse - insufficient disk space 354300x80000000000000001564596Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:25.691{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22412-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001564595Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:25.691{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22412-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001564594Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:31.198{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA3F6CFE89D779F6042556F3FEA0BE5D,SHA256=B895172432063D84F59D2912B50259010AD366EFB5E0802A4430F00202C6B539,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564593Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:31.194{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564592Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:31.194{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564600Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:32.972{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BDBEA5F37DC0AE861CAEAA0AEFFFAF,SHA256=E9F18BC2A3F3B865E4B3ED0726D2E727D85ED0D456A4154D41639461FB2FD5C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:32.160{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:32.160{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D5C53BEC7777091D49C70C667470BD,SHA256=2D0259A0E08F961C006D6BA1ADAD66F26B21B3154A12ABF5A9DFB040ADEA730Bfalsefalse - insufficient disk space 10341000x80000000000000001564599Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:32.195{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564598Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:32.195{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564603Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:33.978{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E6DCB636689D68C1F90F81D527487F,SHA256=11D428DA76BC23FB3B39B277B2B37935E591B2B00CB72BD06659DC4595948FCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:33.200{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:33.200{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C872922C0A8B2289993CA2EB235D5D,SHA256=0E7E485C51D61988520500DAA7BE68A1714F55DB332DFF84BA1E44AB038D983Afalsefalse - insufficient disk space 10341000x80000000000000001564602Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:33.195{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564601Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:33.195{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564608Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:34.981{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73926A3DE120C6BAC1E7334CBE4AAF4,SHA256=A3E8634D3340B7AD141A88FFDADD238F947DBFEDADCE1053825E9671D5DFAD3A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:34.218{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:34.218{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26232A87C45B2C9875C0D6989B74B37C,SHA256=EB3090DE739862DDF9039E340A96EE022FE228A5463DCD49E57645E76C0B49FCfalsefalse - insufficient disk space 354300x80000000000000001564607Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:28.647{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22413-false10.0.1.12-8000- 10341000x80000000000000001564606Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:34.196{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564605Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:34.196{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564604Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:34.155{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2CEE68FEEB96288763090BCF013663D,SHA256=AA666409BA3E0613357CD0A50E6A08462F26DAB4B247F96AE1584B1897AAA597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564611Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:35.983{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25F30C0696509485AE4F7967FE6A1E8,SHA256=0C41ACB0F63F10AC1755F004305A12380510B5559AE8807D54BEEAC17DED6FF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:33.702{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50810-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:35.287{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:35.287{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21772491AFE5488E49136384C6CF1EFE,SHA256=BFE19982D16BF7CAFD0B50682C83A7E33C4AA89C7C5499C00E7BCD3A4C324D96falsefalse - insufficient disk space 10341000x80000000000000001564610Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:35.197{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564609Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:35.197{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:35.236{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:35.236{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53F99458031C9D2BF75879EB4E54FA37,SHA256=44B3CDB6F5172D3655A6405F1BCB91DC28B4FFE17816C495A693044CA10BCC53falsefalse - insufficient disk space 11241100x80000000000000002531608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:35.236{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:35.236{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA3F69CCEA0B2F13704E21E5B476954,SHA256=BCDEE01B49C4921BE4DF2E56A7E57892FB4B7439AA852B101B17CC713678BA16falsefalse - insufficient disk space 23542300x80000000000000001564614Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:36.987{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF44F0695C0F2FC43AEF414C4C2DB615,SHA256=91D0AF31FE89D23B9E71BB212958E12FA260F19AC80F532FF31CABDCAF61D3F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:36.523{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:36.523{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB1A3AAF8B3F661D61DC5F19EB23DDD,SHA256=71364D5ABB1A600A42BAC29A08BD05B148D5C7CE0EB9F9068DFED620C44A3BC9falsefalse - insufficient disk space 10341000x80000000000000001564613Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:36.198{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564612Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:36.198{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:37.525{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:37.525{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2391BCAA1BC8149C9409EE81A2ED9522,SHA256=3D32F65652AA12289B61203177A262587E34B0DE0D34D94BF6F6B515982CD56Ffalsefalse - insufficient disk space 10341000x80000000000000001564616Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:37.198{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564615Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:37.198{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:38.612{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:38.612{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DC798859A59180478EF013D8185D2D,SHA256=E2D1A4F03AC4725A89D224CC1075D9B263DD1A82C9CBED1BF39F4EF026FE3850falsefalse - insufficient disk space 10341000x80000000000000001564641Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.396{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564640Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.396{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564639Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.396{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564638Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564637Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564636Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564635Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564634Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564633Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564632Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564631Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564630Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564629Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564628Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564627Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564626Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564625Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564624Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564623Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564622Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564621Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564620Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.395{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564619Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.218{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666DFF5AD088FB80535C0F7BEC2C8F05,SHA256=3307D2B5D440706E00B7EA48C463593231092FEE379F27BE82A6DC619BABF9A9,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002531618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:38.074{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001564618Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.199{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564617Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:38.199{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:39.797{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:39.797{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBF9204B168479292D4565918921B86,SHA256=11765D972F833212B9AFD2F6CA0159DEE9FAC0BA5853F07403B8504B74878FD4falsefalse - insufficient disk space 23542300x80000000000000001564644Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:39.231{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1AF87A298B3753EABADD5AE6D45EA4,SHA256=2FBA369E2E0B496CCF1A7E74B75D2EE08902B6288296893780CACFE7F8490318,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:39.094{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:39.094{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53F99458031C9D2BF75879EB4E54FA37,SHA256=44B3CDB6F5172D3655A6405F1BCB91DC28B4FFE17816C495A693044CA10BCC53falsefalse - insufficient disk space 10341000x80000000000000001564643Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:39.200{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564642Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:39.200{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002531627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:37.542{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50811-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002531626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:40.818{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:40.818{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93850D810D1437878C920859DB4368B,SHA256=0EDEB6260FB47A094712FFEA017EE45865CE30BE27F329BBD5995F09FE30697Efalsefalse - insufficient disk space 354300x80000000000000001564651Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:34.537{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22415-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001564650Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:34.536{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22414-false10.0.1.12-8000- 23542300x80000000000000001564649Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:40.243{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22CB4BCFDCB502504BBADC4FD2363D1,SHA256=F3388162EA73C36A6846AA072EFE0EF109ACBB7FCF132333215D7179423B8A6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564648Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:40.201{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564647Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:40.201{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564646Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:40.137{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68B271C8D0A2AAEF520ABC03EBC15F7,SHA256=9D99E0C46CED0DAEE9464B363A78408446C6648B68D204B7FB3C23EEFFB1FCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564645Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:40.136{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B926B94831ADC663ABDA43A38EFDAD8,SHA256=4D310CDD7DBA3F7AABC949D7BB1C0B58380A88910CD857229F3372BDA4C7D625,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:41.820{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:41.820{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760857717F67882D96AE9DB0857DD0D2,SHA256=81D480B49F21DABA2E3D2BEC9B2FCBBC6EFE2B95341116207223002B0352E66Cfalsefalse - insufficient disk space 354300x80000000000000001564656Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:35.741{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22416-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001564655Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:41.250{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66128A737DDDB0E532403C441577C087,SHA256=204D3815136EE16B1591A66F853F4F4531B3E8A338F8E21422FA646C052F5874,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:39.515{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50812-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:41.049{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:41.049{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8471641C4AFB4D9C08A2660C1EB5CE18,SHA256=929E0BBCAEB2B9CD5F4835ADDA143ED849EA4D9198EFD19D30DD4A1992A5A43Bfalsefalse - insufficient disk space 23542300x80000000000000001564654Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:41.242{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68B271C8D0A2AAEF520ABC03EBC15F7,SHA256=9D99E0C46CED0DAEE9464B363A78408446C6648B68D204B7FB3C23EEFFB1FCBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564653Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:41.201{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564652Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:41.201{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:42.838{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:42.838{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CC9ADD58616628088B86224D2B562F,SHA256=5D2BAD081B32E2A9DDB94EAA963109AFC124F0E3A5493A70E251F662206593D4falsefalse - insufficient disk space 23542300x80000000000000001564659Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:42.254{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F774FF38AC75D519A057F0B1E263367,SHA256=651399878694E4814171C6415A58AA618F30DBA5CE2F8F004FCBFDE9E51A8321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564658Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:42.202{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564657Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:42.202{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:43.840{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:43.840{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E99805A4649793F0C127951958F7E1,SHA256=2781FD114FB71FC41E066EDEFD59908764D1F6527A340DFD6C9B80049B44E688falsefalse - insufficient disk space 23542300x80000000000000001564662Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:43.257{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAD6FAE0E05D807956913B7ACEE35F1,SHA256=7F8B15A89369D84060CC2DDD553372EE86AC79129E49CBFEAEC5BD34C29AE425,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:43.787{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002531635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:43.787{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 10341000x80000000000000001564661Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:43.203{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564660Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:43.203{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:44.874{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:44.874{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EDE6AA73422F03AAF1738737E7B67E,SHA256=5AF2632DEF46DE2B964B80016E29109F757EEACF20C34BA72CB07CD4D13717EBfalsefalse - insufficient disk space 23542300x80000000000000001564665Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:44.261{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F933AFDA5E0471FCADC2B32F2129B97,SHA256=FC978811E3E84799A717CB51B7EEEC8A912CAB450B433F05914A6D8C0135588C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:44.773{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:44.773{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D94B4857F95EF326F7AED549470B4DAE,SHA256=5A24A4684C66F71DD3D3A331C2DFD71BBE7EEC7944A17C1CEB1EB95CC7EBBFC5falsefalse - insufficient disk space 10341000x80000000000000001564664Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:44.204{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564663Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:44.204{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001564670Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:39.662{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22417-false10.0.1.12-8000- 23542300x80000000000000001564669Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:45.270{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CA10C53FA02B595312C54ADE0CCDBD,SHA256=1CE0EB2A8FEE415A0AA598F016BB5CE28D1161D326B251C42E3CFDA1668BE8D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:43.240{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50813-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x80000000000000001564668Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:45.204{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564667Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:45.204{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564666Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:45.162{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B2750AB508196D840BF8885D2DF0E0F,SHA256=092E1F84E1293479058557B61242074243AF18C6ACA92017C71909553CD43160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564673Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:46.283{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6925077197BECC2DEF9C71BC7C46800,SHA256=22C1279500FEE54A608C06DB1B0D6878F8376EDA0A11792CB5C48ABA0621928C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:44.527{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50814-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:46.110{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:46.110{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5054625CE69C2AE32D6997B0B22A5E96,SHA256=896791DBA352F50BDD453A3E2D48CB0F766C49287AADB235E92F88E6267DA1B0falsefalse - insufficient disk space 10341000x80000000000000001564672Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:46.205{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564671Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:46.205{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:46.061{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:46.061{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBF54C678124E707D99FE3AB37F6179B,SHA256=29AAC466FC6EB7379CE16097EE20A6338CFDA69AB0906D19F7C77D3D1F765560falsefalse - insufficient disk space 23542300x80000000000000001564676Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:47.287{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD713C403F6E46F3E528FF2EBAF99FF,SHA256=6B502B6CA06C02DE7EEF8A761D6314E8962AAC030DF5E8B5BA2E94DA4980483D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002531696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:47.965{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000002531695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.664{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.132{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.132{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0B48CBCF319B6EA833616E2219F429,SHA256=7987F08C0008CB3761E3C05C2CFAD444E3B177C09C7989ED1AD5DBCDFE79DE85falsefalse - insufficient disk space 10341000x80000000000000001564675Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:47.206{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564674Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:47.206{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:48.967{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:48.967{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7AAC7D34CEB0903CD727C89BE7561E5,SHA256=F5ED663B29079411E41BC71E8DFF46990E8AE7BC56713E732BB277DF6A9ABB15falsefalse - insufficient disk space 11241100x80000000000000002531699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:48.551{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:48.551{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6C715C441D688361A18E87096516C8,SHA256=DAC0052A0575A54A198C6A2E85FDC5EE206546AF06280438CCB11E5EFDDEA3BCfalsefalse - insufficient disk space 23542300x80000000000000001564679Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:48.289{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0412255AA4949C99BAF9429F28F3CB,SHA256=CB324433DFE2FB69D5394CA694334AA99E4E532192C6ED3AA28BDC09965D2B98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564678Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:48.207{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564677Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:48.207{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002531697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:48.081{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000002531705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.549{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50816-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002531704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:47.434{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50815-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002531703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:49.618{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:49.618{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D543EE8C26F18AD90DE7F2A914D916,SHA256=FE14E26479A416046A548D6F774183CAE24E1339D45D92D4CE86E6A2E2AB619Afalsefalse - insufficient disk space 23542300x80000000000000001564682Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:49.302{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453BA63741BD14B3AD8C4989A90D8577,SHA256=3035B0D9411132C2709CAD7942F1759712CF74AFF753FFBB2FFA87EBF54CA831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564681Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:49.207{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564680Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:49.207{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:50.640{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:50.640{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767CA73FB7FA25DFCF720D3C767CDA84,SHA256=41E65B6B6918216CD85B5A00441EC0571FDBB59198A5D50D7948285AD193D7E4falsefalse - insufficient disk space 23542300x80000000000000001564685Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:50.313{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1312DBE8AD3603B4123A9DC4F74123D,SHA256=D4538E81482822FB07D3EFDC721D3EBB1C06EDB7AB5D695B23D7FDABE51F824B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564684Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:50.208{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564683Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:50.208{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:51.689{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:51.689{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529C0F7CC167388D330E1FD7B38EE790,SHA256=6B7AB56E79298457E523943C122AD3F9DF2657657027E29D45896F5CD2F17B5Afalsefalse - insufficient disk space 354300x80000000000000001564700Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:45.543{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22418-false10.0.1.12-8000- 23542300x80000000000000001564699Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.319{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38197FEF256E8696465E77726F823E6B,SHA256=CD57D03206A080B2714356F349BD2BE8BF6EE61E74A48F93FCB493C01AA817A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564698Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.210{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564697Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.209{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564696Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.209{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564695Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.158{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C27F-6081-4386-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564694Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.156{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564693Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.156{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564692Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.156{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564691Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.156{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564690Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.155{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C27F-6081-4386-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564689Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.155{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C27F-6081-4386-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564688Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.154{761B69BB-C27F-6081-4386-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564687Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.057{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E27638FF8C84FDAAAE98EE6FBF7B9FC8,SHA256=3627EF1F7EADBA519BE753128BB6474E8A53AB3B487CDFB53136424C16BB502C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564686Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:51.056{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42E63142F90DC96F7552E59AD3385D93,SHA256=C9DFCAA1C7CC823BB159B7DEAD58920B478335A40F9A4799E23FA80FE73AF5D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:52.926{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:52.925{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6A985A4F20896F5F18D91A2E13D765,SHA256=52889676F976D7DF0F40086E3BAAFDDD7FDDD8FE252D43BF523CFC041E5CF403falsefalse - insufficient disk space 354300x80000000000000001564706Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:46.707{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22419-false10.0.1.12-8089- 23542300x80000000000000001564705Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:52.325{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD38D43374CF8C80FB770DE4A88C777,SHA256=489300DCBCE1A8BAD67DAA2874349306B753E63839369FDCDFF5F1741BE32A42,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:52.090{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:52.090{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BF022AD118623D3237C1A2306370A9D,SHA256=AD75A98856590F6B1CCED0F6796A27F78AB60B9BC178C450E370AD8550B0F475falsefalse - insufficient disk space 23542300x80000000000000001564704Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:52.285{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FB1E6EDB105D08F2F874E6950721B9FF,SHA256=56A434EE0D29ECDFBD98491201331A263331865BCFBA12369B4537410F094811,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564703Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:52.210{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564702Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:52.210{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564701Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:52.187{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E27638FF8C84FDAAAE98EE6FBF7B9FC8,SHA256=3627EF1F7EADBA519BE753128BB6474E8A53AB3B487CDFB53136424C16BB502C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564709Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:53.327{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFA7384375DF39800BF70FA09FEE8F0,SHA256=6C4386148E6819DF0A324DB5EA68880963F11C35A1D1636DB9BDCC452305550D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:50.541{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50817-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001564708Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:53.210{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564707Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:53.210{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564712Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:54.330{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC206F9E211A304006648BCAA3EF010,SHA256=C98BB5397EB52996227A21D529922BDF25AB10F63A35002B19713CC9048CF078,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:54.164{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:54.164{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D0CEF5AFD4A46B1CC22A7377DF8AA3,SHA256=11E3CB54D8CC4C036FBF1E16468AFEC8DBE44359A4A5F1559181488B658955A3falsefalse - insufficient disk space 10341000x80000000000000001564711Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:54.211{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564710Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:54.211{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:55.231{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:55.231{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A83BA630AAC9888DE234CD953B8F42,SHA256=3B7992B864E7799DA62017A16BBD50637E22B14DE6F01436EB1311BF6F2A6D8Cfalsefalse - insufficient disk space 10341000x80000000000000001564732Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.610{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C283-6081-4586-00000000BA01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564731Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.608{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564730Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.608{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564729Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.608{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564728Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.608{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564727Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.608{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C283-6081-4586-00000000BA01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564726Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.607{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C283-6081-4586-00000000BA01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564725Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.607{761B69BB-C283-6081-4586-00000000BA01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564724Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.336{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2ACDEA36FFD59E8712D9FAF10213E4,SHA256=D3FA37DEE4F7F123B49FAA8F7B346E7CD458BA7EED5BC4648181E601811D10EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564723Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.249{761B69BB-C283-6081-4486-00000000BA01}50324836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564722Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.212{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564721Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.212{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564720Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.110{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C283-6081-4486-00000000BA01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564719Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.108{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564718Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.108{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564717Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.108{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564716Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.108{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564715Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.107{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-C283-6081-4486-00000000BA01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564714Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.107{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C283-6081-4486-00000000BA01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564713Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:55.106{761B69BB-C283-6081-4486-00000000BA01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564745Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.345{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E483415BF773E2287BE00F0C89182A1,SHA256=DD5085B172C6D39811A6636DA7623E7190568DB1DF8EEC7E6D8FF0875CD3544F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:56.385{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:56.385{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B147BBB0A5B2C60BC0C7363AC424A3C,SHA256=AB7DD33BAF748356D6F826A7CC64DCF3EC7DA488E41F29894A73DD40911488DDfalsefalse - insufficient disk space 10341000x80000000000000001564744Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.261{761B69BB-C284-6081-4686-00000000BA01}52965308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564743Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.213{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564742Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.213{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564741Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.126{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C284-6081-4686-00000000BA01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564740Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.124{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564739Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.124{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564738Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.124{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564737Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.123{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564736Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.123{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C284-6081-4686-00000000BA01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564735Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.123{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C284-6081-4686-00000000BA01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564734Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.123{761B69BB-C284-6081-4686-00000000BA01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564733Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.111{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DD16B394588A409E5402EFCA87DB046,SHA256=51A1175F3B53517E8F4DDAE18339093C3F0E19FB2A031DFE92E9C829A414A878,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:55.599{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50818-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:57.387{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:57.387{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986C1B95F3F234C37F54AE0C7227511E,SHA256=948BCB0C816EA7A682841427512662319929EDCA62ED1717716D36DF2FBF4738falsefalse - insufficient disk space 354300x80000000000000001564750Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:50.679{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22420-false10.0.1.12-8000- 23542300x80000000000000001564749Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:57.348{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A063027A37974F6CC657BB76C37E5D,SHA256=356EBC67719FEDAADFB1CB7C43E1D4C3DE892817EDBE4D3FDC7EDF9226019AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564748Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:57.266{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB91E0248ECDC653B8C59FAD931C1CA5,SHA256=A3E03907949AC54F0B67330FC10BBED196A7B3DAF7EBC501DB32F2A14B5549EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564747Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:57.213{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564746Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:57.213{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:57.135{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:57.135{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053B84B057D595C5F2A8C14B267537B8,SHA256=BDCC30F1540E57B83496203C36174E280C85BF671E27D56EC6FC4DD2FA8399CEfalsefalse - insufficient disk space 11241100x80000000000000002531722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:57.135{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:57.135{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67EE751F5BDCB5CD41327F66039A4C1B,SHA256=F80E42F4D31D572BBD7B943F28215D54811D0986380B224DC8854FF7A933D998falsefalse - insufficient disk space 11241100x80000000000000002531733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:58.389{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:58.389{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34AEFD5E832A55FF7161F42B34DF832,SHA256=7359A17483B99489147C06A57E7850F23FFBAF5979DBC35C1C8388B55679D57Dfalsefalse - insufficient disk space 23542300x80000000000000001564753Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:58.351{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD4F1982F6C29C137733A9DFEA56B56,SHA256=CDAB51FC7D93A81C2F604677027BAC568058C7AC0C109E344C8AFA445652C3E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002531731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:58.173{21761711-83AD-607D-0C00-00000000BB01}7247672C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:58.173{21761711-83AD-607D-0C00-00000000BB01}7247672C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002531729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:58.173{21761711-83AD-607D-0C00-00000000BB01}7247672C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002531728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:37:58.089{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001564752Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:58.214{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564751Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:58.214{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002531738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:57.557{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50819-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002531737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:59.492{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:59.492{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C656B131D48D093A68BD88FAEBA2799,SHA256=65E009E747052B088E2D6C5E42771703392153D71B0FB55BAD485D342E0068B4falsefalse - insufficient disk space 10341000x80000000000000001564764Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.564{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C287-6081-4786-00000000BA01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564763Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.562{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564762Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.562{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564761Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.562{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564760Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.562{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564759Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.561{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C287-6081-4786-00000000BA01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564758Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.561{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C287-6081-4786-00000000BA01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564757Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.561{761B69BB-C287-6081-4786-00000000BA01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564756Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.354{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F6914CA775817D2AA2A22AEF5EA374,SHA256=C56AB6B86E393A0BAB18303038FCE14B1A106E6B6F8E8721A127492BE7670932,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:59.122{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:37:59.122{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053B84B057D595C5F2A8C14B267537B8,SHA256=BDCC30F1540E57B83496203C36174E280C85BF671E27D56EC6FC4DD2FA8399CEfalsefalse - insufficient disk space 10341000x80000000000000001564755Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.215{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564754Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:59.215{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:00.494{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:00.494{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD11E7BD7B06AD604ACA285CDEF7A3AA,SHA256=4810E9F4F62EF4919986318A5A1A45178251B9B51E91973F197875B8E244E721falsefalse - insufficient disk space 10341000x80000000000000001564785Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.908{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C288-6081-4986-00000000BA01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564784Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.906{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564783Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.906{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564782Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.906{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564781Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.906{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564780Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.905{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-C288-6081-4986-00000000BA01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564779Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.905{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C288-6081-4986-00000000BA01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564778Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.904{761B69BB-C288-6081-4986-00000000BA01}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001564777Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.564{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE4A3C26CD0B6F6EEBAD32E12DE07357,SHA256=6B32986780BE570B1DB0F037562E6B1D4BB1151C5A98C1C658BE302A7EFE4FAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564776Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.370{761B69BB-C288-6081-4886-00000000BA01}19841680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564775Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.362{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3AF1BAAFF354715E22987564A73487,SHA256=873DFF8945D9D69BDA724903C28F056DAA40268902F921F2D6EF46DF64227C8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564774Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.228{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C288-6081-4886-00000000BA01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564773Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.226{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564772Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.226{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564771Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.226{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564770Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.225{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564769Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.225{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C288-6081-4886-00000000BA01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001564768Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.225{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C288-6081-4886-00000000BA01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001564767Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.225{761B69BB-C288-6081-4886-00000000BA01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001564766Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.216{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564765Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:00.216{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:01.666{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:01.666{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A028354B49D2353B9F82C41DB65DBC2D,SHA256=821CE76687D256C779E9075CF3394E45EC984BFC9F09EBBA12FF156D57BFD7ADfalsefalse - insufficient disk space 23542300x80000000000000001564790Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:01.907{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23B956AFF16D9C7EDFAFCD3D930615C1,SHA256=CC4E525E39DB50DD3B0ABB442F980D280AA359DB106AE12A846BC5B4516BC658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564789Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:01.371{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EBD3EA74344DC18D4E7BAE785B147F,SHA256=82283D885B536866F2CA352006125A0ACA4B3D888E14EB556EBBA436CE4FAD74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564788Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:01.216{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564787Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:01.216{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564786Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:01.051{761B69BB-C288-6081-4986-00000000BA01}56726872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002531747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 18:38:02.831{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d737a6-0xa08b7e7d) 11241100x80000000000000002531746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:02.668{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:02.668{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A110C58C70A5F84977A0E7A5C26112,SHA256=D66DDDB28EEEE68B25A1BD87D44B679F013060A757C72056BB59C56AF491EF58falsefalse - insufficient disk space 23542300x80000000000000001564793Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:02.376{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746B57D5F9065BAFB1882CEBF6A3DCDA,SHA256=367190F1439C1992BC1984310CCC9F2A4A05C9E092DD1B9267CB7ED5A3F8808B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:02.167{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:02.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0003DC5E085046CB37D9779E4B963B4A,SHA256=86C6B7F8535F674792F8535AB5B5619283267FB7B4F091A7501E93FC9559C28Afalsefalse - insufficient disk space 10341000x80000000000000001564792Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:02.217{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564791Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:02.217{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:03.852{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:03.852{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF10C162AC184901022B42663A5D513,SHA256=8923EC24799F20EB0B1EC9F132B01EA1DD1D462496304775D9C5D31AE24419C2falsefalse - insufficient disk space 354300x80000000000000001564797Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:37:56.581{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22421-false10.0.1.12-8000- 23542300x80000000000000001564796Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:03.383{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFABF3D211B4DCF0CA26BC34A900145,SHA256=1C28A68C1AB43E3CD98C8A34D16BE9288305F8AE71310ECCE5C2B1F58771B6E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:00.633{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50820-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001564795Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:03.217{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564794Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:03.217{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:04.889{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:04.889{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74938D16B8A8422CB5EBE812FFC10BF6,SHA256=36F06A54505956E2BA650581E13673EAD7B45E35A151981995E4DA59101825A0falsefalse - insufficient disk space 23542300x80000000000000001564800Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:04.387{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0FE85CCFA4001D264C0DE386EBA7D8,SHA256=936829CE1DA0A8891612F3C0E13EAC3D7729B4AB6C6BE1BB04E3F0B99884306A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564799Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:04.218{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564798Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:04.218{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:05.907{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:05.907{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FB69C1550631D1F5DFB59C53B827EF,SHA256=F8D5DB166F5BFA783393D49D891741E3665C140890C1BAAD41F042E222DC3036falsefalse - insufficient disk space 23542300x80000000000000001564803Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:05.390{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC2DEBEB93FF70F6024853950BCF094,SHA256=825F07C569CD205D5FBDA97A304919005DC7EB1CDB8AC47C89FD7CE42466AE9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564802Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:05.219{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564801Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:05.219{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002531756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:06.910{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:06.910{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A429D061C422BF35DE96A2CCA75C271,SHA256=7D6B7D8A9E60B87D573B8D3562985D88886267F6A26D8B23F83F471B8C8B748Bfalsefalse - insufficient disk space 23542300x80000000000000001564806Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:06.393{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B917ED1BEF0EC5B2783EE3457D298F7,SHA256=B7A8716898583741E164F0BBAAFF5946251C52E336F3FB98F18B36259B26F326,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564805Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:06.220{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564804Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:06.220{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002531762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:07.997{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE80302EB9ADE88BC36DCA2F7E9854E,SHA256=9FA476AD2F67A91CCAB883A195D03909CEABDE1CC69B0FD17D87F324A432E75Bfalsefalse - insufficient disk space 354300x80000000000000001564812Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:01.713{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22422-false10.0.1.12-8000- 23542300x80000000000000001564811Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:07.396{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45414D1D47246E8B7F569765718185E1,SHA256=094F44C8ADC384FD787D02DB1C712074A2F2F91BAC8E0608E930507556270794,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002531761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:38:07.981{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002531760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:07.195{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:07.195{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=645C380D21DCA7F8B419C623417555AE,SHA256=8BF8685E9EB0CF4069793C21AB2136795B925AC446EAC8E4637DC1D4EB770D1Ffalsefalse - insufficient disk space 11241100x80000000000000002531758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:07.195{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:07.195{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F76DBFB9EE4947484479533CB3E3332,SHA256=021A168F1A3C5E4B1C5165D2D69D6ACC365BA1F78FED97A674BC27344DF35C99falsefalse - insufficient disk space 10341000x80000000000000001564810Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:07.220{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564809Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:07.220{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564808Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:07.217{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD5AC71291B367506B070204B1CD975,SHA256=27EB8ADEE20C2A9A4089F542795D9969A422F3739EB942B19AF05E4563C87899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564807Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:07.216{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7A018AA4C7F03CA3B78D5DEA56F941D,SHA256=0D5C361F96CA844BBE6E6E91AFED2A81BF4C9BA3D759E08973A12E604FD89FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001564816Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:02.477{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22423-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001564815Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:08.417{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D04742403E625AB6732D2CDC209FF3,SHA256=295E65FD341CDFC5AE6BD3BD1CF5BC8017F9A72F097F206155458608E462DE67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:08.983{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:08.983{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=645C380D21DCA7F8B419C623417555AE,SHA256=8BF8685E9EB0CF4069793C21AB2136795B925AC446EAC8E4637DC1D4EB770D1Ffalsefalse - insufficient disk space 12241200x80000000000000002531764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:38:08.097{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002531763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:07.997{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 10341000x80000000000000001564814Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:08.221{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564813Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:08.221{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564819Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:09.421{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAB3D340A6A7B4D734A9D2A1C05C537,SHA256=EBAF97D217A73B849D422A9055078D0E28A5602A54D91B63B78261852D48453D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:05.660{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50821-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:09.030{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:09.030{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCA30861FD2B888F181A291DD0D4DCB,SHA256=9D50198C5AB14828151DBC7C92683CBFBFC42A0475FC6E7751ED867B15FAE3B3falsefalse - insufficient disk space 10341000x80000000000000001564818Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:09.222{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564817Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:09.222{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002531773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:07.565{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50823-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002531772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:07.449{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50822-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002531771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:10.048{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:10.048{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFEA8B5F7D062CAEBF3946DAE7FCF72,SHA256=17A145A874EC13A17C52B82DEE24201DF7A84B4195E952796A45C706173125F0falsefalse - insufficient disk space 23542300x80000000000000001564822Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:10.425{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DC109241F9349352047DAC3F4B5DB9,SHA256=E6FEE6773C4B7A51B5F74B0B7F9609493EFD5FDA4794B61735F316E2ED36331D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564821Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:10.223{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564820Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:10.223{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564825Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:11.429{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA60B56AEB8B47C27F410C9D9CAEADF8,SHA256=B0071285EF4B268F7F119D8ABED6F47D9BC37858F21049A0316B2840D5A48690,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002531775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:11.220{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:11.220{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19712E0C3FC2B15004DB4E86A7212AA3,SHA256=5C8E32F6DAFAF677DC656AAF31498BD00771281872C5BF5198AEAF856B69D9C1falsefalse - insufficient disk space 10341000x80000000000000001564824Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:11.223{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564823Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:11.223{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001564830Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:12.432{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1A1875D0C9BACFB674CFFCA79257C2,SHA256=7AFE74F7333104000A1C0F47AA88BF701D00181EFE0563E5CE35B7D1D11680DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002531836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.924{21761711-83AE-607D-0D00-00000000BB01}7923560C:\Windows\system32\svchost.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002531835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.391{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002531834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.391{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002531833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.376{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002531832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.376{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002531831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.291{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.291{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940C225A2476FA08F232405CAE94DE69,SHA256=2FCA77126E56EDF1BA69042BDCD864F63217C1147A472DE166095660174BFB1Dfalsefalse - insufficient disk space 734700x80000000000000002531829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.269{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002531828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 23542300x80000000000000001564829Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:12.315{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D20601DCE999A79513E340F6D238E85D,SHA256=9A885F8960BA0B9D0B1C88EC26B954D1DE4446BBD6F6E1E367D5C5E4E93CC855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001564828Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:12.314{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD5AC71291B367506B070204B1CD975,SHA256=27EB8ADEE20C2A9A4089F542795D9969A422F3739EB942B19AF05E4563C87899,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001564827Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:12.224{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564826Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:12.224{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002531826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002531825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002531824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002531823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002531822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002531821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002531820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002531819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002531818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002531817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002531816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002531815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002531814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002531813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002531812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002531811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002531810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002531809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002531808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002531807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002531806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002531805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002531804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002531803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002531802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002531801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002531800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002531799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002531798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002531797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002531796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002531795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002531794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002531793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002531792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002531791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002531790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002531789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002531788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002531787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002531786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002531785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.253{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002531784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.239{21761711-C294-6081-D887-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002531783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:38:12.238{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:38:12.238{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:38:12.238{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:38:12.238{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002531779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:38:12.238{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002531778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:38:12.238{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002531777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.222{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:12.222{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D95E27BD7DD979264EFA17E7A6CC4A4E,SHA256=06438C8FB26D15A52D5E33B039086875958D9467A0BA20B5A723F58CB5A4A83Ffalsefalse - insufficient disk space 354300x80000000000000001564834Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:07.596{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22424-false10.0.1.12-8000- 23542300x80000000000000001564833Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:13.437{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A8A330DFD3A96214220CF5CF13EC83,SHA256=E7637DEFB962A51375102D4CFD67C535E3FD9307C9192B1DF0628A5095181828,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002531841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:10.688{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50824-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002531840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:13.325{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002531839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:13.325{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB6571FFC133C45666CDEEDFCD7C1E7,SHA256=0D31ADF339C74CA9EE8BD078492FF4351409612C6414CE5E8ECE9E736CB9C31Efalsefalse - insufficient disk space 11241100x80000000000000002531838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:13.275{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002531837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:38:13.275{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F3EF78A8BE84AF07FC4F0856DC41C3,SHA256=A4FC1DE912CF9B5DF054F217423B8FA8E5D0DA725C3F5E64A93EF57A8A6BACD4falsefalse - insufficient disk space 10341000x80000000000000001564832Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:13.224{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564831Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:13.224{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564836Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:14.224{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001564835Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:38:14.224{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001589783Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:33.143{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26293-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001589782Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:32.647{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26292-false10.0.1.12-8000- 10341000x80000000000000001589781Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:38.882{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589780Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:38.882{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589779Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:38.379{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACF218272FE7D574D91D03C8CC0DD18,SHA256=0B08809B37736D5D60EF877CE7340AC234B38AF8099D4D0070DFBB6D4BCDA803,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:38.119{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:38.119{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038A88C30D8A313F68C60F4A79065C8C,SHA256=F3C9F5343351A4957A7DD061A4EEBFFD1FF6B0EF6A14D7DF90246313D8F55BACfalsefalse - insufficient disk space 10341000x80000000000000001589787Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:39.882{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589786Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:39.882{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589785Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:39.573{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A66A7BC6029831902FE88118A8CD0A,SHA256=ED723771557108FDB32B352EE540B7E36F991577038F25EC39B7046F27288A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589784Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:39.386{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FFA66559C97AAAE0AE51603850500B,SHA256=FEA995D2A98A6FBD747D9B4F604FF10AE3857E74C154CA0C0F72837B1A2ADCA7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:39.121{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:39.121{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A58FA683265CFAD148F27359F01482,SHA256=A3299EFE7FC5B3E249CC12B539644883A9E174C41BD4AC36251ED1AA1466902Dfalsefalse - insufficient disk space 10341000x80000000000000001589790Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:40.883{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589789Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:40.883{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589788Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:40.393{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AE35614BDDDDD07F88393C8836F600,SHA256=7AECACDA342C87EB2A718C4CA0A0570F428DC030C10AFD983260998DFA4C3C43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002590472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:38.584{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52536-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002590471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:40.672{21761711-D562-6081-208A-00000000BB01}6760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache2021-04-19 12:25:39.301 23542300x80000000000000002590470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:40.672{21761711-D562-6081-208A-00000000BB01}6760WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=D8B4E5136EAF0D7B8F8DB5EDB961EB31,SHA256=399275212F56635EB684DF1137E784565339B951E341D7A4B3648442FF93C35Cfalsefalse - insufficient disk space 11241100x80000000000000002590469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:40.124{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 11241100x80000000000000002590468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:40.124{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:40.124{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B46A7CB598431FB5A366AE27AD37BCE,SHA256=6F84167D245288626A977BE0B507A74470177FDD0950886E58929BA3635F4345falsefalse - insufficient disk space 23542300x80000000000000002590466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:40.124{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC8FF41AD78DA26E7195471CDEA20BB,SHA256=9D6A69436314FBE16CA2321C22959E37D4171C82948F3070A91A2D3327D8F7F2falsefalse - insufficient disk space 11241100x80000000000000002590465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:40.124{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:40.124{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63C38A4A7021CF22591D0353C6D9C5B0,SHA256=EECA165AF4BF6FF729F073A2C6C5BBA3CD115FA5B1D8097FFB52E06E97F0BD79falsefalse - insufficient disk space 10341000x80000000000000001589793Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:41.884{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589792Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:41.884{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589791Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:41.406{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2DC30C34889105ED0AFBE971220C92,SHA256=7C0B01AFFD96022C362644D91D34CB198B6EDAEA81C69F5AEA643471B6FB0B9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:41.126{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:41.126{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8110063EB117D171DE8E5BE83C7349C,SHA256=29289ECB74D740E80B823CC768CC843D03DEF6ECD9852DDC3922A517B189B9D8falsefalse - insufficient disk space 11241100x80000000000000002590478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:42.129{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:42.129{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05045BDA440FC7205CD8D57AB0661C81,SHA256=7C065D553883B2E7A95987AEA696CF6A2B280317B8B09A468034D997938619C8falsefalse - insufficient disk space 10341000x80000000000000001589796Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:42.885{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589795Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:42.885{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589794Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:42.409{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A562A3B13CC8437960189F861F1A5F,SHA256=66FBFE7736825F82117AED744A9C96646F154C7274653832E8A239935E7EE618,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:42.091{21761711-D563-6081-218A-00000000BB01}8012c:\windows\syswow64\windowspowershell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache2021-04-19 12:25:39.301 23542300x80000000000000002590475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:42.091{21761711-D563-6081-218A-00000000BB01}8012WIN-HOST-5\Administratorc:\windows\syswow64\windowspowershell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=7372FB9040E001DE5C9F3678614DF379,SHA256=199D8CD3F26CAE38444074F1108080912EC179B0E6408D104AC9A37F97CD9EF0falsefalse - insufficient disk space 10341000x80000000000000001589799Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:43.886{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589798Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:43.886{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589797Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:43.412{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE2163CB794590C21D8D91481D5302A,SHA256=48E9E2938EEA556F5255B72B19E4C6F5FD65ACB28644A2DA5914ACD0B9FDCF39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:43.193{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:43.193{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB41BEB90B4B421B442E5B916645E3A6,SHA256=E82211729EBE5881020043C7EF37A588D177922FD0079981BD45BEB993881BEEfalsefalse - insufficient disk space 354300x80000000000000001589804Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:38.524{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26294-false10.0.1.12-8000- 10341000x80000000000000001589803Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:44.886{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589802Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:44.886{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589801Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:44.425{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872203279F1C0C1D6EB12C1A2B652FD1,SHA256=F1DB803B74647BE039BA35F6D19A0E8B09047F0BA92476C76B353A86EAA26F1F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:44.196{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:44.196{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643DEF56D840DC699CB346F57231FC98,SHA256=9965C59DD9F35136D3AC95873762E2D9F9EE108B315F09554A2094F8E778DD20falsefalse - insufficient disk space 23542300x80000000000000001589800Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:44.145{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92FC10B66955556DC2E3709992C9DF95,SHA256=28A4E1AB108FCE5565A32557FCAFA907F584B69036D6FBE1EFB9535D558195F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001589807Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:45.887{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589806Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:45.887{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589805Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:45.431{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF82C2681276067FA02F0C633DB5AB5,SHA256=35E29F9AC908DABB8AF71F07104D0E8AAA046150B897CF8C1CC8BCC030169819,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002590491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:43.596{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52537-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002590490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:45.267{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:45.267{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C71FD96CF52DACC3BBACA0F0116594,SHA256=44A178276C629D4C39BDFB76D32341929EBA7DC763D854D48BD4BDA7FE5B53FEfalsefalse - insufficient disk space 11241100x80000000000000002590488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:45.198{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002590487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:45.198{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000002590486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:45.136{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:45.136{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E6C394C91124259D4B9D3EEC472844,SHA256=9B2DED4C85E4DA5587EEF852BBAE321B9780812F7636DE72AF1292F8F66D7753falsefalse - insufficient disk space 11241100x80000000000000002590484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:45.136{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:45.136{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B46A7CB598431FB5A366AE27AD37BCE,SHA256=6F84167D245288626A977BE0B507A74470177FDD0950886E58929BA3635F4345falsefalse - insufficient disk space 10341000x80000000000000001589810Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:46.888{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589809Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:46.888{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589808Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:46.433{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57936FD36D384B046C33D4A9BD909727,SHA256=E888267A1DEC99BD5E2651565C27405DF283530186D403E259F7ECA6513D6D27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002590496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:44.645{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52538-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000002590495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:46.501{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:46.501{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9945EF374BF6C299CD1EBE83C4D955,SHA256=D5F02007FA7870A697ADEA68C073023A6D64DC628B9DFED5205C5A16BAA568F7falsefalse - insufficient disk space 11241100x80000000000000002590493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:46.185{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:46.185{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E6C394C91124259D4B9D3EEC472844,SHA256=9B2DED4C85E4DA5587EEF852BBAE321B9780812F7636DE72AF1292F8F66D7753falsefalse - insufficient disk space 11241100x80000000000000002590498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:47.573{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:47.573{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E969B17514942F3E7A2DB92B899F07C,SHA256=918262DACB8CCC3A266D0EE8C520BECD002A87175EA6C4298E3DE3736124E26Bfalsefalse - insufficient disk space 10341000x80000000000000001589813Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:47.889{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589812Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:47.889{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589811Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:47.440{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283AA539B69BD1E155D332C18B315975,SHA256=8CF559A541F9E1EE260D819D09E055C4E9FC2AD88CDCA2BB8E392A37EE2A1309,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002590501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:48.644{21761711-D51E-6081-108A-00000000BB01}7380C:\Windows\System32\wbem\WmiPrvSE.exe 11241100x80000000000000002590500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:48.624{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:48.624{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EF1BB97C39E09A92DC7428F9A3587B,SHA256=E53AB1E8E6C436557C1B25480531AE78C42B4EAE79CA4269F32AD2765B7CDFF6falsefalse - insufficient disk space 354300x80000000000000001589819Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:42.528{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-982.attackrange.local138netbios-dgm 354300x80000000000000001589818Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:42.528{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-982.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x80000000000000001589817Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:48.889{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589816Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:48.889{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589815Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:48.458{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74F79D79D39750AD626BC428E1E9970,SHA256=29C4F778F77C148343B9B34C585A75A828E7E8D026C552566EDB985113665DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589814Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:48.097{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3B4473A8595EF44C89FC4C4B55AB0E6,SHA256=E53A50F0CF54808EB61DAAB9FEAF52962889F328DEB38E87622DDA130AB833E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:49.662{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:49.662{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=536351AB8595F89EAC7C7F5AF6BD6BCF,SHA256=09EBB78BD3FBCBCCD23AAFED656BB676FF39510B5F34A716FAFC6D417D92E3CAfalsefalse - insufficient disk space 11241100x80000000000000002590503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:49.646{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:49.646{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B66BDD162D2CC893BEE67ED69FB4C5,SHA256=82EAA110D779E9E782E416FFEDA5DBECF218E632700E881C30BFD4C6AE4C9987falsefalse - insufficient disk space 354300x80000000000000001589832Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:43.670{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26295-false10.0.1.12-8000- 10341000x80000000000000001589831Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.890{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589830Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.890{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589829Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.485{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F597D216518E1A651090D56BCBC159,SHA256=37A4EABE08D54784BCC02D155489F7FE4E227DAF37C775FF20981E39635BAE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589828Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.267{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB4FFC92EC48CF5F34D9706715068E91,SHA256=9F40D91002C3AE64DBC6E5D4028A49BCCACE1C29C09179D4700F742A8568BE5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001589827Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.040{761B69BB-88A9-6081-637F-00000000BA01}58365960C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589826Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.040{761B69BB-88A9-6081-637F-00000000BA01}58365960C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589825Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.040{761B69BB-88A9-6081-637F-00000000BA01}58365960C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589824Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.039{761B69BB-88A9-6081-637F-00000000BA01}58363496C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589823Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.038{761B69BB-88A9-6081-637F-00000000BA01}58363496C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589822Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.038{761B69BB-88A9-6081-637F-00000000BA01}58363496C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589821Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.038{761B69BB-88A9-6081-637F-00000000BA01}58363496C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589820Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.032{761B69BB-8AA3-6081-A17F-00000000BA01}4132ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio15582734127209932646.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:50.680{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:50.680{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1167DB6A652C043C36330950379631F6,SHA256=19127F65177DFE91F4D589AC4CFF8D065A0D472A87DFC7617465C541B92367EAfalsefalse - insufficient disk space 10341000x80000000000000001589843Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.891{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589842Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.891{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589841Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.491{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441B21162B3ED02AC3C2CDD6775C02E1,SHA256=D10E5EBBC19C0AC39F9349E2C6848CB08C7811A1984DD0DD4D4B2FA11A45DBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001589840Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.274{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D57A-6081-7A88-00000000BA01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589839Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.272{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589838Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.272{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589837Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.272{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589836Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.272{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589835Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.272{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-D57A-6081-7A88-00000000BA01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001589834Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.271{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D57A-6081-7A88-00000000BA01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001589833Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.270{761B69BB-D57A-6081-7A88-00000000BA01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002590510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:51.682{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:51.682{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240E2D702BA206D806E4445719B638DC,SHA256=39FF97E17E132B7B60D393A093191D942C992D05626935DDDD26F4AF9CF1552Afalsefalse - insufficient disk space 10341000x80000000000000001589850Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:51.891{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589849Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:51.891{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589848Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:51.497{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94319176603DF35E6E1384E423107A6C,SHA256=D85A5419DC2CAB754884723CB9EBA84541FE28BD8A9FFE66CFCB5FE60B8B4571,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002590508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:48.608{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52539-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001589847Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:51.336{761B69BB-88A9-6081-637F-00000000BA01}58365960C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589846Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:51.336{761B69BB-88A9-6081-637F-00000000BA01}58365960C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589845Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:51.336{761B69BB-88A9-6081-637F-00000000BA01}58365960C:\Windows\explorer.exe{761B69BB-8AA3-6081-A17F-00000000BA01}4132C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589844Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:51.275{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD5B5DDCA0D186E372CF02CEF874B185,SHA256=2AD3726EDC33FECCA7FA061CD9B0EB4AAA4E157B0F5B6CCCAE372ED2A1C4181A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:52.685{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:52.685{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF42D02DE4EB4C3C4E00B83FA984F44,SHA256=58B778774DB85D3376E843116B4F40CCCE13AF88454755A83E45E9637924E97Efalsefalse - insufficient disk space 10341000x80000000000000001589855Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:52.892{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589854Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:52.892{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589853Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:52.500{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE77F9655E34F05A683FA71E8BDB06F,SHA256=D5FB8194559F4082D8E7A21E3F7AAA94240E100359A7E7047BF150489103A7B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589852Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:52.459{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A4BECE947DDE3BB4D17739987DC80AC8,SHA256=12EE07CC5A44FC037174AD06217CB2AD7A638D6CE8DB7E54F2C826055B5DA775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589851Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:52.338{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:53.687{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:53.687{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B96C365BD456F94145DE2874A9002A,SHA256=A2D2BC70B1C16C0754F52B66D4CF0BBD3E22FD8D9A4F8053A5EABE3761BA22EBfalsefalse - insufficient disk space 354300x80000000000000001589860Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:47.770{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26296-false10.0.1.12-8089- 10341000x80000000000000001589859Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:53.892{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589858Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:53.892{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589857Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:53.504{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F9A0BFBF1CBDD725C4BF10C80823FF,SHA256=19C1658543FD95F27EA15168250DA05201A8F5990E9CCB1D46D31CD854DB4C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589856Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:53.335{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D6562F6292D2453AE7B9414D2DD0B99,SHA256=42CEE03421A43A402D012F968A0D7D49CC935169D802FFDDC32398968CD4F82B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:54.690{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:54.690{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A132211AAACCF186833D64ED3DD2E72B,SHA256=9D90EAD56990568EEAE736B235807A8F9374566EF2B9146BC594494D6E83E48Cfalsefalse - insufficient disk space 10341000x80000000000000001589880Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.892{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589879Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.892{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589878Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.724{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D57E-6081-7C88-00000000BA01}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589877Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.723{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589876Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.722{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589875Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.722{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589874Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.722{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589873Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.722{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D57E-6081-7C88-00000000BA01}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001589872Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.722{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D57E-6081-7C88-00000000BA01}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001589871Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.722{761B69BB-D57E-6081-7C88-00000000BA01}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001589870Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.512{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132C0BE95B197AC58C92B5DE58F571E7,SHA256=1513FD55B56C0A47C589079E459550D921B48B2D77F9101E110878FEFD77ACA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001589869Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.252{761B69BB-D57E-6081-7B88-00000000BA01}68203724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589868Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.115{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D57E-6081-7B88-00000000BA01}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589867Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.113{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589866Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.113{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589865Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.113{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589864Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.113{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589863Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.112{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D57E-6081-7B88-00000000BA01}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001589862Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.112{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D57E-6081-7B88-00000000BA01}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001589861Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:54.112{761B69BB-D57E-6081-7B88-00000000BA01}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001589894Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:49.552{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26297-false10.0.1.12-8000- 10341000x80000000000000001589893Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.892{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589892Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.892{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589891Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.528{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961D76007FC4686DE15100058C0718AC,SHA256=614664ADE6B06C85A2F341FEA993D8E7C0A1D08C9B8EF2818319D373CEA6100A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:55.692{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:55.692{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B252B78D57BF3913DCA4B188673379EF,SHA256=65B95F89A0D144BF5F92A16F00D3BF41EE002C9EA3F8CE43CEDA1333558983E9falsefalse - insufficient disk space 10341000x80000000000000001589890Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.386{761B69BB-D57F-6081-7D88-00000000BA01}38243544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589889Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.241{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D57F-6081-7D88-00000000BA01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589888Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.239{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589887Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.239{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589886Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.239{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589885Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.239{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589884Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.238{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D57F-6081-7D88-00000000BA01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001589883Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.238{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D57F-6081-7D88-00000000BA01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001589882Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.238{761B69BB-D57F-6081-7D88-00000000BA01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001589881Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.199{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCCC770996A5099AE9410F320811D41B,SHA256=5245925BE77DB34F632D4FD8E8A4292ACD9E4CA1614FAE3A180556ECE4BE2994,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:56.726{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:56.726{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F0B0C417BBCA8DFA1C30DBE4D2F3C0,SHA256=FDFC893CA3F03EA6D1D01872F0F9CBAD58D8AF0CD42FD7DCE1FBBBF96C18F81Bfalsefalse - insufficient disk space 354300x80000000000000001589899Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:50.901{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26298-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001589898Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:56.893{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589897Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:56.893{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589896Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:56.531{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC1DB57DFCBD809649C5F83E69E87E6,SHA256=0CB3C81F11E21A876A4A5D4C5C667FCBFF2B1F1D5FA1E80A72E9EC27FE55FF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589895Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:56.244{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31545B3D86466FF55F1BA7F443074032,SHA256=C564426BEF442A4134CE956220949CF4771B98A20B2E39EF6A629A07990451E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:56.146{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:56.146{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3E0DBF17DE4C7D53FE1DB5E6708F03A,SHA256=266C49CFEE623144FD37A8593E81959084E68C2416F22FD58203EDAE6D4CD4B2falsefalse - insufficient disk space 11241100x80000000000000002590520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:56.146{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:56.146{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDC1D8041E98BA0F2A328A6407048BD6,SHA256=CD53C7E140C69F9CCC84B73173F2BE6B56D7080B99A6F12E673122C17992E13Bfalsefalse - insufficient disk space 11241100x80000000000000002590527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:57.728{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:57.728{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC5901B2B19C3A3217EE3B987ADE0E5,SHA256=B91AF229E23FFB27166540C395B4125668F2A3AA70D182A6EC5CAB04720323C9falsefalse - insufficient disk space 10341000x80000000000000001589902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.893{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.893{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589900Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.534{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8A5A1314445080686C17A1223E1DE3,SHA256=84D49882146DD9FB89B829ACD9A00B74BF253E7E671F1185AF5BE00F382EFF4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002590525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:54.600{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52540-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002590529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:58.730{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:58.730{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDE0C3DD0291AEE5AEA81362C5A99DE,SHA256=535B3EF8E4ED86EFD12A1811EEAFE291E77E9D41B5AE26A9ABF4540EE6FE659Cfalsefalse - insufficient disk space 10341000x80000000000000001589913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.893{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.893{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.564{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FDBFE9FC67DE233F07E33B7836A426,SHA256=BBAF936FFEB79B579DCD36BB4C7A262A0AED62214CA374DFD01DC0C15697B486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001589910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.415{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D582-6081-7E88-00000000BA01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.413{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.413{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.413{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.413{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.412{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-D582-6081-7E88-00000000BA01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001589904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.412{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D582-6081-7E88-00000000BA01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001589903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.412{761B69BB-D582-6081-7E88-00000000BA01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002590531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:59.733{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:59.733{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82189CB804BE17870D7250E37FAB328,SHA256=4E8C551090FB538974B111E41E5EE002C553B1D26FB140188F6369ECFD9432ACfalsefalse - insufficient disk space 10341000x80000000000000001589935Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.894{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589934Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.894{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589933Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.886{761B69BB-D583-6081-8088-00000000BA01}63284596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589932Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.745{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D583-6081-8088-00000000BA01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589931Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.743{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589930Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.743{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589929Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.743{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589928Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.743{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589927Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.742{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D583-6081-8088-00000000BA01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001589926Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.742{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D583-6081-8088-00000000BA01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001589925Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.742{761B69BB-D583-6081-8088-00000000BA01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001589924Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.575{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F367EA3707E3A7D01DC3057FABEF17F,SHA256=A0E24719225F1BF8C71161A69DF698AE1EBE98B6F119A953925B037E987CCB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.445{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF97520501CF2E94C97303C6DD758A72,SHA256=ADCFB352DAA7A677F11F948586CD7728A4782C312FD133156EDFB16E5375335B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001589922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.220{761B69BB-D583-6081-7F88-00000000BA01}9925764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.081{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D583-6081-7F88-00000000BA01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.079{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.079{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.079{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.078{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.078{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-D583-6081-7F88-00000000BA01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001589915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.078{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D583-6081-7F88-00000000BA01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001589914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:59.078{761B69BB-D583-6081-7F88-00000000BA01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001589939Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:00.895{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589938Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:00.895{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589937Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:00.766{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEBAA9556BA921A3C1815A93AE29275F,SHA256=8DBDB453524361724A6EFEDE2438D60C1142651DC0307CC4D6C3A0F6F65B7037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589936Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:00.581{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4DD3C2AD2F34AE61636B5DAB86BB6A,SHA256=F369EF387CCEA586A78554156019517993AAE9D0DFC94A93BD3B800DA65333CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:00.735{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:00.735{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED98A452588A7CC0B1C5DFF031695F3,SHA256=5EE31A263AE2D6C31677875D68B10B199751A22FAD91189FB49CB8C5B7E80D75falsefalse - insufficient disk space 11241100x80000000000000002590539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:01.738{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:01.738{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8377CEBEC2DCA12231D8C7B37FC66422,SHA256=5799E7EBD9E107CAC3C83F2FAF818692B0DD7F815DB8A997D1B8E0BF5DBE0836falsefalse - insufficient disk space 10341000x80000000000000001589942Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:01.895{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589941Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:01.895{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589940Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:01.592{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2F990051FB8BAC7CA86206F61E3C16,SHA256=14CB2327DD6E573059ECED21AD565491EEE159DC9437FA09FFABE82EC40A880B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:01.154{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:01.154{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA488BFC4FD02E9F92C20D98CF433162,SHA256=055F512E9485F6AB3C30F412C1528B1F752CD376C8435F0B11E465AE86837A30falsefalse - insufficient disk space 11241100x80000000000000002590535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:01.153{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:01.153{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3E0DBF17DE4C7D53FE1DB5E6708F03A,SHA256=266C49CFEE623144FD37A8593E81959084E68C2416F22FD58203EDAE6D4CD4B2falsefalse - insufficient disk space 23542300x80000000000000001589948Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:02.962{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8B4E3508D0D5D78C2F6F42144334D0B,SHA256=DF9C8820E66C664A33E3D85C3C1C50C285F269D05ACD1555C579E753DD14C449,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001589947Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:02.896{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589946Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:02.896{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589945Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:02.600{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DA2BFB27CB0BAF5C7ED1B2DB0511E1,SHA256=19580A05D6F94FA5321F37CCC4842ED57A5071DDD22B2B3FBAA10E5D5772278F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:02.740{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:02.740{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D94910824F9782EC9A5D1023EF7AEC,SHA256=84C3097E68722E05DC4676C702F1979A6D84C0608329AA4176A54F0B0DC59069falsefalse - insufficient disk space 10341000x80000000000000001589944Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:02.046{761B69BB-818A-607D-0B00-00000000BA01}6327136C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001589943Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:55.452{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26299-false10.0.1.12-8000- 11241100x80000000000000002590544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:03.811{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:03.811{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CC8BA17AFBCE96266594ED1656C2B0,SHA256=23799D6177F9BB0B2404BBDD34814F0279E469B2151B4A977D5BCF611330A3CAfalsefalse - insufficient disk space 10341000x80000000000000001589953Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:03.897{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589952Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:03.897{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589951Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:03.607{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE37F02243AAAFCB8E4F3A02CFEE9F50,SHA256=A63D4E06078501220B9582038550878C213EC0298A12E20E5206614E16E4C872,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001589950Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.379{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26300-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001589949Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.379{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26300-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000002590542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:58:59.612{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52541-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001589989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.898{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.898{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.836{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589960Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.835{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589959Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.612{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB74FF38FBF1162F53A7F07E42676EC,SHA256=5F4EE4D6474A3817788091E1B508911EB4EBB92DC512D912DF20A11B6FB4D5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001589958Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:04.316{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B714AE697217A6F2A7172B39C31D51B8,SHA256=6E075B14EF9AEAFC2B2F7D47762DC61E8EADEB3F0684604089023567C63C5863,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001589957Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.482{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26302-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001589956Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.482{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26302-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001589955Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.385{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local26301-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001589954Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:57.385{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26301-false10.0.1.14win-dc-982.attackrange.local389ldap 10341000x80000000000000001589993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:05.898{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:05.898{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:05.635{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC45112027FDF0DB6CCD86731AB6A4E3,SHA256=63C0151792BAF1AF8FFBD3D228F3FBE00976713E0D7160874EF5ED9F302DDBE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:05.114{21761711-D563-6081-218A-00000000BB01}8012c:\windows\syswow64\windowspowershell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache2021-04-19 12:25:39.301 23542300x80000000000000002590547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:05.114{21761711-D563-6081-218A-00000000BB01}8012WIN-HOST-5\Administratorc:\windows\syswow64\windowspowershell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=2C8FDAC4F0979082D0AEC45FDAB70383,SHA256=D1CB5AE44E22975193CF086319C403B9C11120DABED6779AD99DFBF2ABBA64AFfalsefalse - insufficient disk space 11241100x80000000000000002590546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:05.029{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:05.029{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CAC9B7B97DDD29F6CEBD8C7B69674A,SHA256=B6E756CA6A7B7DBC20517D93623729A50B4A74A8D47A4041531AC39AF135D69Dfalsefalse - insufficient disk space 354300x80000000000000001589990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:58:58.750{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26303-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001589997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:06.899{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:06.899{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:06.641{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DB7E6814FF51A4C46A01C59B029F4E,SHA256=CD6AEDBF7EFFA25F9897BD93D62536703F085F952265248DD43361219E011161,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:06.267{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:06.266{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A590FE2E65C384CB28D6C4AD6A1D81,SHA256=5A451BD35DFD1DC75B31F750920AE204DD54E1EF94F16B02CD4A3D45D9D62A04falsefalse - insufficient disk space 23542300x80000000000000001589994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:06.150{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93DECDAB4CEDF8D6C850BBDB701ECD99,SHA256=A2637CCB7E90509CA882EEE4F956D2ED0CB7EB3B29FA09B39050F8CB202D40FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:06.166{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:06.165{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=713B42474A150774CA9083C7A59D13DD,SHA256=D7C30B7ECF2A1790D9974C55196FC0F9BB66A85C03B1377E2FC3522826DE6DA2falsefalse - insufficient disk space 11241100x80000000000000002590550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:06.165{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:06.165{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA488BFC4FD02E9F92C20D98CF433162,SHA256=055F512E9485F6AB3C30F412C1528B1F752CD376C8435F0B11E465AE86837A30falsefalse - insufficient disk space 10341000x80000000000000001590001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:07.900{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:07.900{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001589999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:07.645{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB123518E726ECDE1DD67AC594B47A9C,SHA256=CAEA6127BCF2C3AD39EC967477BD90FEBE82D92CBF74B09D426A7F9CA6DF1CD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:07.319{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:07.319{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E86DB0CA6888C0DD9FBCF7E0B891491,SHA256=0FE70897F1AAA56F9FB2A3E26ACB883A339B28A84B9F33281255C272579426F7falsefalse - insufficient disk space 354300x80000000000000001589998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:00.580{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26304-false10.0.1.12-8000- 354300x80000000000000002590555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:04.624{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52542-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001590007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:08.901{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:08.901{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:08.650{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75E898FA3C1EE3FDA9923B1D4660674,SHA256=DE63DEDBF1E3A679DABC61BC250DFA309E5910EA2BAC2CC323A6716675FD12F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:08.353{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:08.353{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49EC668A2C6EE9BB4EEA739D56E53C3,SHA256=24321B418CAFAD82400B01D107249B98D64601B9D7ED54AAC54807C5EEC6D221falsefalse - insufficient disk space 10341000x80000000000000001590004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:08.121{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:08.121{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:08.121{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:09.902{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:09.902{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:09.664{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6961BD3B32658641111342A23E20CB80,SHA256=66F2333970EF01833C4C98D4CE212394BC460A918D9E91488BA171EB1F3E1E4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:09.473{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:09.473{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AD392F462545C3359782B7691ED6E8,SHA256=92A4CEA460A702AF5E1F4F9828747217C95BA6448701CA5CE426E828F3BCEF6Cfalsefalse - insufficient disk space 10341000x80000000000000001590013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:10.902{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:10.902{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:10.666{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1A8701A366C6F3C039C385751E66DB,SHA256=E5B9699EA063290194E724981DEB1F4EE79BF9FAC237483E5C194FC6DEB66E06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:10.476{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:10.476{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6242C3EB9E7A6F3C484DC7D721D3ED68,SHA256=FB1D632C8AB70C5836AFE3CA2FBDA42BBF7F071E8C60F0866650EC4E5A55B6C5falsefalse - insufficient disk space 10341000x80000000000000001590016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:11.903{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:11.903{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:11.677{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DB01823FC4E101D1003E9B0FC76BC1,SHA256=77425CEFC80C6542A3F8E14214AF15BC9B244DBE29209910F1097B5CAD1908E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.514{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.514{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C0DD7AF717C4636433C57EEDBCE91B,SHA256=DF41A4B3D37F1AA2216C2A273263E1C78FB5A15A1A377E1E75C8BA44BDE08090falsefalse - insufficient disk space 534500x80000000000000002590623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.282{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002590622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.282{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002590621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.282{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002590620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.282{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002590619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.229{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.229{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E23B9285E1C749927A49DDBE94DFF35,SHA256=FE6662C85E6C6BB546B9DBD2A419A3E30F895347B531DDC92912FBD4978B7636falsefalse - insufficient disk space 11241100x80000000000000002590617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.229{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.229{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=713B42474A150774CA9083C7A59D13DD,SHA256=D7C30B7ECF2A1790D9974C55196FC0F9BB66A85C03B1377E2FC3522826DE6DA2falsefalse - insufficient disk space 734700x80000000000000002590615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.160{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002590614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.160{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002590613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.160{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002590612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:11.160{21761711-D58F-6081-238A-00000000BB01}2240\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002590611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.160{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002590610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002590609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002590608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002590607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002590606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002590605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002590604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002590603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002590602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002590601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002590600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002590599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002590598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002590597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.144{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002590596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002590595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002590594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002590593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002590592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002590591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002590590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002590589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002590588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002590587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002590586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002590585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002590584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002590583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002590582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002590581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002590580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002590579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002590578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002590577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002590575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002590574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002590573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002590572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002590571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.128{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002590570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:11.113{21761711-D58F-6081-238A-00000000BB01}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002590569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:11.113{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:11.113{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:11.113{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:11.113{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:11.113{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:11.113{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001590021Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:12.904{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590020Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:12.904{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:12.687{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243818265E994898725CE466C0E73AE8,SHA256=4A68BC9C4212B7BF2B505DFFB87C936D9B2B71824B0B728BDDB44F142A441643,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:12.616{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:12.616{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019FFA8B8C583CBDAF7021042E87FEA9,SHA256=9F4688077EF267836ACF79B812C0F79FF4DE43B9AC4308EE11F7EF11738CFFC8falsefalse - insufficient disk space 23542300x80000000000000001590018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:12.046{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3381B497862C47B6A4E1652C68AB5E29,SHA256=2977C90239AD4AABD428508A9C27B47EA5C12DF83B4532E8982ACAF27D28DB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:12.046{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6175FF3194034E449BE9219C3AFD137C,SHA256=056ED535DD3692E07C3642FF64C3B379EF42CF08A9D46D03DC61EB7D61C5B2B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:12.516{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:12.516{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E23B9285E1C749927A49DDBE94DFF35,SHA256=FE6662C85E6C6BB546B9DBD2A419A3E30F895347B531DDC92912FBD4978B7636falsefalse - insufficient disk space 354300x80000000000000002590626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:09.636{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52543-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002590632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:13.619{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:13.619{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10BEE2B337474919DF5570DCA9C5295,SHA256=6AFF4C5D6F4C9AA52178F3B061B19C55FA0C63D96CD4531C5D1407F785D888A9falsefalse - insufficient disk space 10341000x80000000000000001590026Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:13.905{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590025Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:13.905{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590024Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:13.772{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3381B497862C47B6A4E1652C68AB5E29,SHA256=2977C90239AD4AABD428508A9C27B47EA5C12DF83B4532E8982ACAF27D28DB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590023Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:13.695{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225FFD9E4B8052CF6FA20EDC3997E7DA,SHA256=E2F192747911AD505D0DE44C261DDDABFB9739D4E29F97A295667B87C35BCBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590022Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:06.468{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26305-false10.0.1.12-8000- 11241100x80000000000000002590634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:14.621{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:14.621{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9489B459C4EF682427BD47C490C54C3A,SHA256=97F0DB42F2358D0A7214C6D7F6102097E7DCA0205191FD4E407F707014E49161falsefalse - insufficient disk space 10341000x80000000000000001590029Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:14.905{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590028Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:14.905{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590027Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:14.704{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D6CBF875DE1D9630CDAA132D2271E6,SHA256=441A9024B72DE674ADCA31CC436C81D5C6F85DB02232500F42311F2E93B242EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590032Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:15.906{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590031Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:15.906{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590030Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:15.706{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098DC281649D4AB292C4F246799687B1,SHA256=256975D232BBBA9553F44013A96495E5C9F8BE839CAD7396E3463AE4C1435746,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002590692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.855{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002590691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.855{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002590690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.855{21761711-D593-6081-248A-00000000BB01}57724300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.855{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002590688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.855{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002590687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.739{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002590686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.739{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002590685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002590684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002590683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002590682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002590681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002590680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002590679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002590678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002590677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002590676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002590675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002590674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002590673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002590672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002590671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002590670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002590669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002590668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002590667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002590666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002590665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002590664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002590663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002590662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002590661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002590660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002590659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002590658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002590657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002590656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002590655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002590654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002590653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002590652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002590651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002590650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002590648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002590647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002590646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002590645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002590644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.724{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002590643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.709{21761711-D593-6081-248A-00000000BB01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002590642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:15.708{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:15.708{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:15.708{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:15.708{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:15.708{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:15.708{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002590636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.624{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:15.624{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C26B22C241019534E9B5531847FAF30,SHA256=265C8174EB6674FCF2F59929916B92E4EFC007D029736A6C9791994B4AF722F5falsefalse - insufficient disk space 10341000x80000000000000001590036Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:16.906{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590035Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:16.906{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590034Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:16.711{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779E7AB8F286CDA7344C3AF9B96C50AC,SHA256=88BCEA8B01D432A4A789AD86D309F4DCCA70FC98577EB14E9313F6085D215188,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002590810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.990{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002590809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.990{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002590808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.989{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002590807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002590806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002590805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002590804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002590803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002590802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002590801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002590800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002590799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002590798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002590797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002590796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002590795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002590794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002590793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002590792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002590791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002590790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002590789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002590788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002590787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002590786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002590785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002590784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002590783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002590782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002590781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002590780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002590779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002590778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002590777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002590776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002590775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002590774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002590773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002590771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002590770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002590769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002590768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002590767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.974{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002590766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.959{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002590765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.958{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:16.958{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.958{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:16.958{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.958{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:16.958{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000002590759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:14.670{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52544-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002590758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.689{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.689{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2F51676DB063660ABF7C82C5B13C96,SHA256=0B14667F033A8792F28F0B14571492F99ED1188089B1836E0198A4B402E5D89Bfalsefalse - insufficient disk space 23542300x80000000000000001590033Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:16.397{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D97640C4E32D392A579199FB74664AA,SHA256=FFF9971757C26CC3EDC507C24007C6F7DDDFA6BE91054C6589A236AC55F99BA9,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002590756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.441{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002590755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.441{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002590754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.441{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002590753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.441{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002590752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.341{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.341{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F7BD1963CDC3A8A7D6DB6CA06E3C40,SHA256=EE9FA886C5E5073CEB8B6D651671ED40FC968B63F01835650ADB64CEFC687C70falsefalse - insufficient disk space 734700x80000000000000002590750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002590749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002590748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002590747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002590746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002590745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002590744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002590743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002590742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002590741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002590740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002590739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002590738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002590737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002590736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002590735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002590734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002590733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002590732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002590731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.310{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002590730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002590729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002590728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002590727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002590726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002590725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002590724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002590723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002590722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002590721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002590720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002590719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002590718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002590717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002590716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002590715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002590714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002590713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002590712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002590711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002590710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002590709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002590708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002590706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002590705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002590704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002590703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002590702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.294{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002590701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.288{21761711-D594-6081-258A-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002590700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.287{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:16.287{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.287{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:16.287{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:16.287{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:16.287{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002590694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.209{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:16.209{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDCC9574755FFBB24C50E021845DD915,SHA256=44E2CF7BA9A24F211B17E20A2C56BB478DA70334524E1D895B34978EAAE10EC2falsefalse - insufficient disk space 10341000x80000000000000001590039Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:17.907{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590038Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:17.907{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590037Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:17.715{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825FC02214BEFDBD6ABF42F9800FC24F,SHA256=82FBE3A09E0B88EB0B28ED8DE37E0EAF4A7132EDC3A3C1F4D6C14720F043A1DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.813{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.813{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A200BB883BB2BB69B438094882CBB2,SHA256=ADB41F26F57331248AEA218B6DBAD448CF84F230D09F01E985AF5718945FBE90falsefalse - insufficient disk space 534500x80000000000000002590876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.798{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002590875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.798{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002590874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.798{21761711-D595-6081-278A-00000000BB01}31165864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.798{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002590872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.798{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002590871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.794{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.793{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E607E746A77EE902FAF7FF17D706D981,SHA256=D2A9B7B34872E0D217B76CA63D2DF617AB1926A1968DEC6653BF99AD8ADC6FF5falsefalse - insufficient disk space 734700x80000000000000002590869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.675{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002590868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.675{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002590867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002590866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002590865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002590864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002590863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002590862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002590861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002590860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002590859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002590858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002590857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002590856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002590855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002590854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002590853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002590852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002590851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002590850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002590849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002590848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002590847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002590846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002590845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002590844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002590843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002590842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002590841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002590840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002590839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002590838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002590837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002590836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002590835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002590834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002590833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002590832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002590831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002590829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002590828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002590827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002590826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002590825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.660{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002590824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.645{21761711-D595-6081-278A-00000000BB01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002590823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:17.644{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:17.644{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:17.644{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:17.644{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:17.644{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:17.644{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002590817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.296{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.296{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1754CDE34A4CD210944247F41181684C,SHA256=89F0BE4594CDFCF1F404441857ADF2875F293CFA3F693642FC94D5CF000F017Cfalsefalse - insufficient disk space 534500x80000000000000002590815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.112{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002590814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.112{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002590813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.112{21761711-D594-6081-268A-00000000BB01}41884604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.112{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002590811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:17.112{21761711-D594-6081-268A-00000000BB01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002591044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002591043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002591042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002591041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002591040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002591039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002591038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002591037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002591036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002591035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002591034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.963{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002591033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002591032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002591031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002591030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002591029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002591028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002591027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002591026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002591021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002591020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002591018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002591010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002591008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002591006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002591001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.947{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002590999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.935{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002590998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.932{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:18.932{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.932{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:18.932{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.932{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:18.932{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002590992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.932{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.932{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0A8A0352AAA9A7BE15D829CFE355AC,SHA256=DC560C57A7320031791E4ECAB8134CD0EE8668A62D68503D0DA3CBEDFD5B5875falsefalse - insufficient disk space 10341000x80000000000000001590043Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:18.908{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590042Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:18.908{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590041Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:18.721{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA7ED034699C903918DDBBCAD73E070,SHA256=D2CBBD3770AE4550E25FE091FA9501BD1D2A6BB4663BB00BA4735A4BD7869523,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002590990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.646{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002590989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.646{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF982417EB1059314F80B07A18CBC815,SHA256=5C930531AC6C03E306AF31594B6EEC079B75C513C2A3DE374EC5FBA46ACBEE5Cfalsefalse - insufficient disk space 534500x80000000000000002590988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.499{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002590987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.499{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002590986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.499{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002590985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.499{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002590984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.394{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002590983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.394{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFB5F5CE6F87424DC4182C056602D16,SHA256=4D369DF94A34488320E3DAA73B9E835C0A3E7609360B74C1051C05235C470F00falsefalse - insufficient disk space 734700x80000000000000002590982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.377{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002590981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002590980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002590979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002590978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002590977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002590976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002590975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002590974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002590973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002590972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002590971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002590970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002590969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002590968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002590967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002590966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002590965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002590964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002590963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002590962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002590961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002590960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002590959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002590958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002590957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002590956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002590955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002590954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002590953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002590952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002590951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002590950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002590949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002590948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002590947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002590946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002590945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002590944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002590943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002590942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002590941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002590940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002590939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002590938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.361{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002590937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.346{21761711-D596-6081-288A-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002590936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:18.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:18.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002590932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 19:59:18.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002590931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 19:59:18.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000002590930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590040Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:11.598{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26306-false10.0.1.12-8000- 10341000x80000000000000002590922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:18.330{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590046Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:19.909{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590045Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:19.909{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590044Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:19.725{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E764D7C12A1982B9742C404CB46B46,SHA256=937F652E86C88260FD955E5B7A032DD519E98FCCCD881A597A3CB09D982F7F9B,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002591048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:19.098{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002591047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:19.096{21761711-D596-6081-298A-00000000BB01}59083816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:19.096{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002591045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:19.096{21761711-D596-6081-298A-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001590049Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:20.910{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590048Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:20.910{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590047Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:20.728{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B522795E29E681F24547459FE329C9,SHA256=5CD29FAB7B9A1C7E5C00B5C04DA013E28A8603C0A8DE55C186B7271D153B22A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:20.034{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:20.034{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B28B5B76D8CCDDA59EDB07C91313A0,SHA256=348F2E6FFF67024A7A709430B8BE2FA249343720CAB0A2F7327DCBADDA7B4330falsefalse - insufficient disk space 11241100x80000000000000002591050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:20.034{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:20.034{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E096ED6A6BC2A4E7E54FB06C9340297,SHA256=AD784AE92169ED19AB2B2831DCFA59AD32D769F218FCE83B8551E196AE4F8E0Cfalsefalse - insufficient disk space 10341000x80000000000000001590052Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:21.911{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590051Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:21.911{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590050Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:21.731{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726F4F445C9038440D3157805D8DF953,SHA256=29E06D7B1B0FC6202E84DA5916EEFF6A49C99BDF20D0786FC4469EA78CA66713,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:21.037{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:21.037{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F394937BD571E39C23D1F82300797AE,SHA256=CEA6FF326E056B8DE7E6A3B8ADE35C98ABE27C18CD6F5CA2725CA6690DFD3646falsefalse - insufficient disk space 10341000x80000000000000001590055Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:22.912{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590054Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:22.912{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590053Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:22.736{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06945F212A03A2BD625E7E78C3624BF,SHA256=EDC7B88EAC8C928A414EB94C17EAAC497B6075D9087664D5E0CD656A05962A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:20.700{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52545-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:22.240{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:22.240{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3F489C862940040FFEF58054FAE6D28,SHA256=FFFF09E3D44F4D096C07231D4B3A34CFE320524003BA63C90A6612576416A31Cfalsefalse - insufficient disk space 11241100x80000000000000002591056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:22.086{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:22.086{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D37C8B70A63DA2C53387EDB40FCEFBA,SHA256=04B05608A7168D607922D962B93CE5C333D907A2A48D2FCF72AD08C89FEB9703falsefalse - insufficient disk space 10341000x80000000000000001590060Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:23.913{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590059Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:23.913{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590058Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:23.739{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FEEBBF9A07594FA47CC97A027AEECF,SHA256=A375E3E44E104FED93E770731AC4B3941752868A48FD94DB47785DC7E794EABC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:23.088{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:23.088{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2B6A1706E1D8104A72801B6BD0D400,SHA256=A0B0D331DEDD5F4AD30E689921C7ADB02FA498AB87DD34A53CB6C8EEE52ACA7Bfalsefalse - insufficient disk space 23542300x80000000000000001590057Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:23.048{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC8BBD9F560D31B32D8510C57043969D,SHA256=F2134A1C474255266DAF8A07BB6F91561A920E42BE62B1A9BC1313D29674F859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590056Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:23.047{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804605C9FDAB0BFABF367F2838BAAFBE,SHA256=427EBC3CA3CC55B70B8BF5825805094CF8F946FED3E7C748D262A7C1AD90EFB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590064Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:24.914{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590063Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:24.914{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590062Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:24.754{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6DFEB654D84DD61620D5FF8C56773D,SHA256=9D4696BFA3AB0E0FCB847BE21ACA9EE9B4D52595BB76610F29B14E3E4EC6BA27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:24.108{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:24.108{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA051B132AA659820F109C88202414BC,SHA256=646F0A06BBC606E0545EC1917A2753E95E0A8A2077C8E026260C8D0748BC97B8falsefalse - insufficient disk space 354300x80000000000000001590061Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:17.481{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26307-false10.0.1.12-8000- 10341000x80000000000000001590067Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:25.915{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590066Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:25.915{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590065Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:25.758{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7016735862E2515AF8D3C63D61E4545,SHA256=ADC41421DBD6614CEAA2B8697B110CEE180397AC3F5A22F084C4A63DDB51F7FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:25.331{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000002591066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:25.331{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F9D318D405759F77C0BEC2716E408D88,SHA256=519CFEB15585F0A6829CE34E6E85E4D04679C3B8FF2F29ACA1BBD0A0102F8C1Dfalsefalse - insufficient disk space 11241100x80000000000000002591065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:25.231{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:25.231{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D394D81132809060AB4B1FEEEE14FFF0,SHA256=765FD372FE37E6475A0AC06FAE8841A71F83DF537D283C9998B884839C906B35falsefalse - insufficient disk space 10341000x80000000000000001590071Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:26.916{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590070Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:26.916{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590069Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:26.915{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC8BBD9F560D31B32D8510C57043969D,SHA256=F2134A1C474255266DAF8A07BB6F91561A920E42BE62B1A9BC1313D29674F859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590068Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:26.762{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9F3144BC69C0DF7823C5D3CFDF008A,SHA256=B503AF51A47F03E156174CDB99EBF0AF3286FD1F58B1E8A97B45CCFBBD99C031,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:26.264{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:26.264{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5792DCEBE1CD90D930A37204D11B2831,SHA256=F47A091B96A55A73F4033505B4B86C22E04CB2F905BA74F9FCB20C12D46A7AE4falsefalse - insufficient disk space 10341000x80000000000000001590075Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:27.917{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590074Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:27.917{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590073Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:27.771{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62F858833A5EC441180C02D11E3BE3C,SHA256=5DF2AA83D07A0F49422ECA1E1922F4D0453E916CF12D6A08831A576EE4466812,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:27.267{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:27.267{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD15FA3FE003E145BD8E162407DCDED,SHA256=5AC010A57414CA278FE95981CD49C86B666692983A20E7550E32676BCE3B9388falsefalse - insufficient disk space 354300x80000000000000001590072Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:21.210{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26308-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001590079Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:28.917{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590078Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:28.917{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590077Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:28.780{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95F607B3ABBC3FDC817B86245C30636,SHA256=9F3B35ED0B22F5D9081706B34558FD4CDB2A1D2E239B6BDD1C2AED4074C57887,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:26.513{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52546-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:28.269{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:28.269{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5305E8999B3E4C6AB03E572889C2D4,SHA256=A9694F5C6B5EBAAE7CC32840CA581BC081C1164D5F44CE721A1248A1CEBDD7C6falsefalse - insufficient disk space 23542300x80000000000000001590076Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:28.185{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34BC472213494F8C4B2F97B46C386AE1,SHA256=3CB44706979C06BFE8C5204179E7A41D8ECF594130E6927ADFCB8977FF37E134,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:28.069{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:28.069{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4637B6CF602CB338E869E51A4AE630DD,SHA256=22C8015C900D1244324C0E4ABF1B0035FB1B048B80B955C18079E922CFE7A46Dfalsefalse - insufficient disk space 11241100x80000000000000002591073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:28.069{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:28.069{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED4C60DCA3DB4BA0560ECA5F92F308FF,SHA256=E3D28CFF8F062B5BE658EF8B2F88126C39F32611B9AEDFB9B507E66FE176FA28falsefalse - insufficient disk space 10341000x80000000000000001590083Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:29.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590082Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:29.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590081Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:29.786{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DFD1A4AD19588AE8EB98394C7450BE,SHA256=37123AECE94CE8E0A5BD889E251BD7DFDE99B43D396B8F529A8044B9ADB3AE07,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:29.303{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:29.303{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E234617DCE461BC54A630448D0973D9E,SHA256=7E1F9A0C1E87E85448CC9B568080951BED97582113641D844AD020CA7884E2A1falsefalse - insufficient disk space 354300x80000000000000001590080Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:22.618{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26309-false10.0.1.12-8000- 10341000x80000000000000001590086Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:30.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590085Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:30.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590084Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:30.788{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78B14D09BFFDC55BFE0E32981C56B3A,SHA256=21247F0A8771F3BE8A102AD26ED1097F4EF4B5889C90389D040FB5B48DE65A36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.622{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.622{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4999C4BD6E25D68638DEEB280EEBAEE,SHA256=B4CD011E1A810217CF5152F180C54EA91B6E368011AB7516EAC521E9668519D2falsefalse - insufficient disk space 12241200x80000000000000002591166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 10341000x80000000000000002591165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.327{21761711-83AD-607D-0C00-00000000BB01}7241236C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002591164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x80000000000000002591163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002591162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000002591161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x80000000000000002591160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 734700x80000000000000002591159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x80000000000000002591158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002591157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002591156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000002591155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=5956013FD503AA525624271D79C23A41,SHA256=F678669E7BDEAA35648FD330F23627EA15B2D79D263610F46FB1B3881AEDBF74trueMicrosoft WindowsValid 734700x80000000000000002591154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x80000000000000002591153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000002591152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x80000000000000002591151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x80000000000000002591150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000002591149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000002591148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000002591147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000002591146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.327{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x80000000000000002591145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.326{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x80000000000000002591144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.326{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000002591143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.326{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000002591142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.326{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000002591141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.326{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x80000000000000002591140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.325{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x80000000000000002591139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.325{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x80000000000000002591138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.324{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x80000000000000002591137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.324{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 10341000x80000000000000002591136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.323{21761711-83AD-607D-0B00-00000000BB01}6282564C:\Windows\system32\lsass.exe{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002591135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.323{21761711-83AD-607D-0B00-00000000BB01}6282564C:\Windows\system32\lsass.exe{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.322{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=EFD0BE8FD1FF4E6D9A2112549F00C298,SHA256=FBC2001A38F051603972763B0CBAE114671C68A5FFB99AB013A0E1055C430AB6trueMicrosoft WindowsValid 734700x80000000000000002591133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.321{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x80000000000000002591132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.321{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x80000000000000002591131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=253114E61AAAE4A12B73BAA54FBAAA62,SHA256=738E566E19705CA3190F448EDA108FAB2324C6A6E9DAAA12024777C9C5E6BF0EtrueMicrosoft WindowsValid 734700x80000000000000002591130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=BFCFB0177935E235B1FEBADE3694839D,SHA256=CD1F41DAC68DF0F1F87F18DA18FAE8EB5B4260DFA400BF5392367CB12C0BFF7EtrueMicrosoft WindowsValid 734700x80000000000000002591129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000002591128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=94C93F32B21EB2DA6AFF2C264B17E623,SHA256=4ABE629C6A2A44F35F205709FB004837871D6CD4F3C21F2F77432B2F98DAFC77trueMicrosoft WindowsValid 734700x80000000000000002591127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=0D7153433B25ABA6DF86FBC7FA543CBF,SHA256=C8DF43428EC79BEB384B2B2561A3D8FF98040ABBC760C35F99E1FBE2D04170BFtrueMicrosoft WindowsValid 734700x80000000000000002591126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x80000000000000002591125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=0F1E9D98CC524190E9B045908E6BC1F6,SHA256=252B3BA71F9452011FA60B6C7655DE65C93EE02754F6B7AF08CBBAAE844CDEEBtrueMicrosoft WindowsValid 734700x80000000000000002591124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x80000000000000002591123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.305{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=AA7C77E4D80A83624BACD72A0A22E374,SHA256=E6B8C76FA6163B808D6B797B1227622925E2E861B383FB132C6B3D6BA24D71E3trueMicrosoft WindowsValid 734700x80000000000000002591122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000002591121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000002591120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000002591119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000002591118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000002591117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000002591116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000002591115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000002591114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000002591113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000002591112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000002591111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000002591110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000002591109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000002591108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000002591107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 734700x80000000000000002591106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000002591105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=1A1F35AD47F8EB4BB2203E875C20EDFE,SHA256=21F3B5877315EC221A1F23EA4863A4E987DBFF63D6FCC97C8D59801356413A4BtrueMicrosoft WindowsValid 734700x80000000000000002591104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000002591103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000002591102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000002591101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000002591100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000002591099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\AppPatch\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=3662AA8F2034650E7C045F1BCA730DDC,SHA256=55FEF94CB7F703BEB70D199F749364219DAE1D13E915389E3F4A2A230B5EBEB6trueMicrosoft WindowsValid 734700x80000000000000002591098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x80000000000000002591097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000002591096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002591095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000002591094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002591093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002591091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000002591089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000002591088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000002591087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.258{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02trueMicrosoft WindowsValid 734700x80000000000000002591085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.142{21761711-D563-6081-218A-00000000BB01}8012C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x80000000000000002591084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.127{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.127{21761711-D563-6081-218A-00000000BB01}80124304c:\windows\syswow64\windowspowershell\v1.0\powershell.exe{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+159f9b(wow64)|C:\Windows\System32\KERNELBASE.dll+159c4c(wow64)|UNKNOWN(00000000076838CE)|UNKNOWN(00000000076873FE)|UNKNOWN(0000000007687521)|UNKNOWN(000000000768767B)|UNKNOWN(000000000768A265)|UNKNOWN(00000000076844E3)|UNKNOWN(0000000007687E8A)|UNKNOWN(0000000007681506)|UNKNOWN(000000000768880C)|UNKNOWN(0000000007695C9E)|UNKNOWN(0000000007695D46) 154100x80000000000000002591082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.141{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\syswow64\rundll32.exeC:\Users\Administrator\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02{21761711-D563-6081-218A-00000000BB01}8012C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile 12241200x80000000000000002591081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:30.120{21761711-D563-6081-218A-00000000BB01}8012c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001590090Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:31.919{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590089Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:31.919{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590088Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:31.799{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F0FD72A884E728E1CE5622D11D378F,SHA256=04394FCC3A145E362F5498AF5E66F50FA02EA4F6BF2CE0A91431FBEF5D4DE1FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:29.583{21761711-D563-6081-218A-00000000BB01}8012C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52547-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002591172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:31.426{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:31.426{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA0237D076FB0125D22497885947C92,SHA256=619FABEA26A5004093E9A7FE88984898273294BA3FAA2878354E2783300486CCfalsefalse - insufficient disk space 23542300x80000000000000001590087Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:31.647{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52184BE1D8F840EAB91EE2465665C6C3,SHA256=8201D61A8BA189436C65A4523A8A3D9104F41A681F5978683344234C4E14A71C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:31.126{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:31.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4637B6CF602CB338E869E51A4AE630DD,SHA256=22C8015C900D1244324C0E4ABF1B0035FB1B048B80B955C18079E922CFE7A46Dfalsefalse - insufficient disk space 10341000x80000000000000001590099Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:32.919{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590098Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:32.919{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590097Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:32.804{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC830008D34BDD4A46FEE390AFE01F5,SHA256=CD5DE005AA3166F602E98A2E333984D52FC2E2F6FBD9508B2368ACF7FB645AA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:32.430{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:32.430{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDAFF886AB9354FC4EB414B5782BC37,SHA256=30DF66E6F09EE0A98EF04D42E840755A0725AC209DCC84AAFEB44831FE1DBB91falsefalse - insufficient disk space 23542300x80000000000000001590096Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:32.649{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3FA199C056E820303F98246D501C3E1,SHA256=5F22BBDACDC6761520477E905B866361206BCC320510151C8F08CB38941B6918,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590095Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:32.306{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001590094Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:32.305{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590093Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:32.305{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10e87f75.TMPMD5=FD9CA3B752C969255F9013E45601E2FF,SHA256=6B542E6C346BCD00B0E9E5182F5689C44912608F9BE79EE9E779CD8B01144944,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590092Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:26.074{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local26310-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001590091Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:26.074{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local26310-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 22542200x80000000000000002591174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:30.151{21761711-D5A2-6081-2A8A-00000000BB01}6956win-host-5010.0.1.15;C:\Windows\SysWOW64\rundll32.exe 10341000x80000000000000001590103Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:33.920{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590102Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:33.920{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590101Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:33.884{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAECDE0A2396BFE0B9D9816571E05DC1,SHA256=DDD16CCE3C15ECC4AA07C5A597E43D6B46EA0C657F2487FD38920D05C6CE30DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590100Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:33.807{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923BADC60DC235F744FB60A52E0D2453,SHA256=A5FDCCD3F2446F39D7E7BD0FBE052F63C379ADA4540685D1E82A9F6EE5CAB166,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:31.541{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52549-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002591183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:29.800{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52548-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000002591182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:33.550{21761711-83AE-607D-1D00-00000000BB01}19602916C:\Windows\sysmon64.exe{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002591181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:33.550{21761711-83AE-607D-1D00-00000000BB01}19602916C:\Windows\sysmon64.exe{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002591180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:33.481{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:33.481{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CB80CE160EA71B636016AF2BD8429A,SHA256=5F44EAD1236EAA8721B5C6414A439A0CD718DEBD7D53A05595FDFAFC0F77DFD0falsefalse - insufficient disk space 11241100x80000000000000002591178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:33.081{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:33.081{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D50FE5DA4DBDCCCAB25A849DAAA9869,SHA256=2FEC48553E300C69528BA5E0FEC8C61954567D7843C2FD12EF04C8C9E505D755falsefalse - insufficient disk space 11241100x80000000000000002591186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:34.535{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:34.535{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C512C757D5DAC9CA4F47D64AB6076916,SHA256=040A17058251F2F1FD0771DF67BE78614AA848CEEE3D18B93ADAECFAE3064978falsefalse - insufficient disk space 10341000x80000000000000001590107Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:34.921{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590106Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:34.921{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590105Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:34.813{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D2BFBB146B9AB95C36B5166C6375EF,SHA256=84170287EA64CE3D73B06AB68B20EA7A8C8665EB17AD63EEB14C1A144B433554,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590104Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:28.293{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26311-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002591188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:35.602{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:35.602{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7275E433E4E961B104F625FC3DDB8C,SHA256=9905CCE7A9781BFF6D7EEF81927BC23FE84FEA6590D38C126A52C44E0DA83374falsefalse - insufficient disk space 10341000x80000000000000001590111Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:35.921{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590110Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:35.921{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590109Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:35.819{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F088D43F51BB6ECC29BC0B013D28C3,SHA256=03CCAB9C4F38014A7AD85E9EB200E2FBDD8BCDC22FC16C6F6013AA581DB22245,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590108Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:28.504{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26312-false10.0.1.12-8000- 11241100x80000000000000002591190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:36.620{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:36.620{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C0A743C26CB4C3D1AFE0DE10C0F1D6,SHA256=891734C6856794C7EEA40AD8CB25FD04B6683E3D75E3E99DE1B1E03A28078E93falsefalse - insufficient disk space 10341000x80000000000000001590114Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:36.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590113Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:36.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590112Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:36.822{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA9B4199E142E4369D360A96EAC9D6A,SHA256=9AD06DB27FA4DEFB391FCA31AF28EECEF2D58B30C5DC2528C6D628381BD896E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590117Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.923{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590116Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.923{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590115Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.826{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F82C8FFB8300933E5793818E0CAAF5,SHA256=804DC8239AAE14765F23AB453FE6D89FE413BBE1AF1B8B25E39DC41A87B81481,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:37.692{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:37.692{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195ABE32044FF6B22EA9C1BA3F864A01,SHA256=7ED35184742ACC76A31EFB5BEBF8CDC683E05D81A01F5E758A42C97C1643E5C0falsefalse - insufficient disk space 10341000x80000000000000001590120Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:38.924{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590119Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:38.924{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590118Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:38.834{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449D17BEFDB0F64AB2B9CA380144AA4F,SHA256=5AFECD42E00A2BDC077A046430B62C03D151A59160C7AD3CDD0D991895A5C37C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:38.694{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:38.694{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6587E738AA2AEA9BF4615C528DE36B26,SHA256=1F3EB83E705703604EE82D7240C54B5BC3ED89E41BF4524B957ADF68627B0712falsefalse - insufficient disk space 11241100x80000000000000002591196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:38.092{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:38.092{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41939387C940FB45221BA1ED7791E355,SHA256=D5A2C368F2E8CEE0A1342AA6884A5DB63455C3273497A873107414FE41183260falsefalse - insufficient disk space 11241100x80000000000000002591194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:38.092{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:38.092{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6582D50930273906FA26B8C6CF389FC3,SHA256=D78AA06B23F85B01CA6D45B2DF4F91D974EBA4C35DD34DDFB4F17936A8CA3B6Bfalsefalse - insufficient disk space 10341000x80000000000000001590125Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:39.924{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590124Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:39.924{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590123Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:39.840{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E02723D068B037E0B9E35D7ADD6A8D,SHA256=EA617D9F89D4BE88497BC8E8FA858DA4FEC8C0D31FD2BEFE8D13844C7266DFBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:36.553{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52550-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:39.712{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:39.712{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C6D3FFBC4686AFD1E470D6221B82FE,SHA256=87E50997656BF16C3468B8D41A0A8AAB7D82B40733A868567488FD3CFEF52E7Efalsefalse - insufficient disk space 23542300x80000000000000001590122Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:39.238{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C588DFAED29CCE6BF58040FDA384D558,SHA256=89A19E669CB8CDC33CC3E7BE4031EFBB74A9E2649F86B0ED3D4A3C3AE20F0321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590121Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:39.237{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64D5568DCF9A7A70E08E5AC1F1FF8F82,SHA256=F7CEF7027E6D93141167865948947ECAB39A533165D82BAEDDC3C72ABC9142EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:40.714{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:40.714{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4B0A23CEF3CE590684A13E8591CE56,SHA256=DFF80428A240F2DE071360792A04B2BC6D1EAC4DF2E00DACA2D27FA975883B6Afalsefalse - insufficient disk space 10341000x80000000000000001590129Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:40.925{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590128Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:40.925{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590127Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:40.844{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61E98B98D509A37C26EE5953A9F4504,SHA256=24C197CE95047FB6EE92990084544F12B80C0E77E51BBCE318EE7A081AA527FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590126Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:33.637{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26313-false10.0.1.12-8000- 11241100x80000000000000002591205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:41.717{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:41.717{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8F94FE73F6A058E9F9DD56DB110DD3,SHA256=533F3A6C9AF4EBB2381C101831F63E9319F753B2344107DCBCE8734CF054C045falsefalse - insufficient disk space 10341000x80000000000000001590135Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:41.925{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590134Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:41.925{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590133Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:41.853{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF87446CC1C5FE44E82C92D2F1B89D7,SHA256=846B077E2FA475656EF43C00F8F2783EE3354F447BF92E88262CF12E897DABA1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001590132Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 19:59:41.621{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x80000000000000001590131Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 19:59:41.618{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\59F158BB-F4A4-42E1-B81F-FD8310C406A3\Config SourceDWORD (0x00000001) 13241300x80000000000000001590130Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 19:59:41.618{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\59F158BB-F4A4-42E1-B81F-FD8310C406A3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_59F158BB-F4A4-42E1-B81F-FD8310C406A3.XML 11241100x80000000000000002591207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:42.853{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:42.853{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A9C7C6F45D81FFB8BEA95489C827F7,SHA256=6929CAA2361CC6C271384F24141EEC962A2A7FF24DB47B6C9DCCD152D275588Dfalsefalse - insufficient disk space 10341000x80000000000000001590143Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:42.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590142Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:42.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590141Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:42.856{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9D6A769A2A82EC089EF6EB4CF108A0,SHA256=1E48130BC1A7B9116F7CB160C96A265BA71995DFE8B1F5DD9D8AA734491E996B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590140Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.058{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26315-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001590139Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.058{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26315-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001590138Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.045{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26314-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001590137Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.045{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26314-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 23542300x80000000000000001590136Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:42.618{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C588DFAED29CCE6BF58040FDA384D558,SHA256=89A19E669CB8CDC33CC3E7BE4031EFBB74A9E2649F86B0ED3D4A3C3AE20F0321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590149Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:43.927{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590148Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:43.927{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590147Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:43.862{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C68F9AAD5F94573E5A19D9590885794,SHA256=5FBE17446921BCF2DD3BA0ABC1B938464C51A6320D37A9B4E1EC04E407B8DD08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590146Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:43.638{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=980B0D5CBB257D1774975CF4301F596B,SHA256=E6E4FB4D13651AAFC8ED4495DD8893124F4F970573C9F3168D8FEFEC0AEB25D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590145Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.063{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26316-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001590144Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:37.063{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local26316-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 10341000x80000000000000001590152Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:44.927{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590151Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:44.927{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590150Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:44.864{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB06FB33D17FDC5D238AD2E9340667A,SHA256=81C42117D035B52E0A39B1132941065A838B3F687C31EB20CACA5C26598C581A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:44.138{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:44.138{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A76C83949024976644484982E99D3EF,SHA256=90249D5B468440EB0D5B75F62465BB6F3D9DAEB309B46BBB9A72560DC779B895falsefalse - insufficient disk space 11241100x80000000000000002591211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:44.138{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:44.138{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41939387C940FB45221BA1ED7791E355,SHA256=D5A2C368F2E8CEE0A1342AA6884A5DB63455C3273497A873107414FE41183260falsefalse - insufficient disk space 11241100x80000000000000002591209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:44.022{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:44.022{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA2E0B670C1A63CC5C31D372B210951,SHA256=909D8B3A1BF50AD894503D18209B64F0338A8BE8B0A70C59360B1A41E2F52B81falsefalse - insufficient disk space 10341000x80000000000000001590156Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:45.928{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590155Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:45.928{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590154Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:45.874{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C6D6C2E4EA82110ED7EED7CE3211DF,SHA256=EE655A27ECF2C3B2245039D42E6DC5BC372FF52D68831383D4221EA4D89CE9A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:45.260{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:45.259{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E4AFFF9ACEC0AD7495C59131FFF0BB,SHA256=142C57343E4F3C424FBBE30FA0335AA84DACBD6D9002C97810C8BCED4CF01EF5falsefalse - insufficient disk space 23542300x80000000000000001590153Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:45.109{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37E456CEBA3A00212E529741E03BE368,SHA256=64E0D2DAE784611B4883165BA0D0B87B6529DA1574961A4778A16854C7DED903,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:45.225{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002591215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:45.225{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 354300x80000000000000002591214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:42.598{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52551-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001590160Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:46.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590159Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:46.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590158Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:46.877{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACB162C31EA16CBBF6EF7789C91F5BD,SHA256=70FAED1EACC43321BFA949C7BBDF7B62D9DEF391A0274197E3AA1BB0C7BDC335,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:46.281{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:46.281{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007463A8DB0AB1219143E3565D77B895,SHA256=8953A525ABA5C3C37ED3066945F6C6182E8984EF8960B43405C34C1BEA9AAC91falsefalse - insufficient disk space 354300x80000000000000001590157Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:39.533{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26317-false10.0.1.12-8000- 11241100x80000000000000002591220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:46.243{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:46.243{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A76C83949024976644484982E99D3EF,SHA256=90249D5B468440EB0D5B75F62465BB6F3D9DAEB309B46BBB9A72560DC779B895falsefalse - insufficient disk space 10341000x80000000000000001590163Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:47.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590162Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:47.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590161Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:47.889{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0136D00F801A4FA492E260D96CB9F50,SHA256=0C5DD743C6FA521EA570D2448082E8369978EB8B3E45AC595E581AADF8DC08A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:47.299{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:47.299{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CBAD9E75155DADF7E1EF11E549B499,SHA256=FA365246075C3FA4AF1532AE1827BCBD339B46FA47EF9C4EA6A0CFA1A22D5F43falsefalse - insufficient disk space 354300x80000000000000002591223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:44.672{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52552-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x80000000000000001590166Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:48.931{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590165Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:48.931{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590164Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:48.895{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F2CD2C67B43E41A3C274EF025B0051,SHA256=B0640CFAAEB299CE69F6073D66C1C7227305CD458F77B907ACED0B3C0C4719CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:48.301{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:48.301{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A95241FF7FA43AD84BFB01137F6A566,SHA256=DFAFA30890E1FF7AEC0BDEA46510BB88457A5ABB858C7D9B9FF67005AC41D990falsefalse - insufficient disk space 10341000x80000000000000001590169Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:49.931{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:49.931{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590167Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:49.902{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF0E6220A5E363859B3CB10F8224F49,SHA256=B3E7E0156F7356CB0A4F50A76651F1CAB69178322016AA05108EA62522FBF77E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:49.368{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:49.368{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39C5573C95908CD9A994E8B51786140,SHA256=4129CF6D3911B7B024249F37E45F08E316A15414A77B62A691C1BDBF33443813falsefalse - insufficient disk space 10341000x80000000000000001590182Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.932{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590181Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.932{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590180Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.911{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB434F30045815064513B42E421450A3,SHA256=6B81ECC0A8B4718BD3B2AA75523300528252870D81AF54105BDF8787F7B7A261,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:50.491{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:50.491{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3DFEEA0926DAAA0FF271FAEA588903,SHA256=E67B88A4072E9263F2C845B395FE8A1FBB97FE199DEC01D111C007D34FE72538falsefalse - insufficient disk space 23542300x80000000000000001590179Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.235{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CDA845154D7C54CBFF46E3EB800B3E,SHA256=B3F7F928748E39F42624BB93069FA9955B8423580990F14459B06DAA6E551963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590178Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.231{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25420959C014425A6F57750346D2E04B,SHA256=CB26F8B6439D4221257C60564D65539FEC09E869139F80EC37A62F63D49176CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590177Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.202{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5B6-6081-8188-00000000BA01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590176Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.200{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590175Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.200{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590174Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.200{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.200{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590172Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.200{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-D5B6-6081-8188-00000000BA01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590171Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.199{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5B6-6081-8188-00000000BA01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590170Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.199{761B69BB-D5B6-6081-8188-00000000BA01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002591231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:50.152{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:50.152{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46013A3DF7A64540CFE6D8549AFCD3A5,SHA256=25A277259C8E764BB9124870121252F70B1D4A06938FD8C9648D27C7E9DDE460falsefalse - insufficient disk space 10341000x80000000000000001590187Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:51.933{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590186Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:51.933{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590185Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:51.919{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DBE5B03688F3ECDC268C38E2C65459,SHA256=D3BC845B6E239FE22D2B20BB9CC9EC4F4C86B3A290C4AC52E9070F22A2525ABA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:51.493{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:51.493{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03ADC76B3A990797E17B4FB15A0E2FB9,SHA256=9194BB3D27252ED6F0B29FB4D53DD62EC4D52647990016B6460E4798D0F1341Afalsefalse - insufficient disk space 23542300x80000000000000001590184Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:51.348{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CDA845154D7C54CBFF46E3EB800B3E,SHA256=B3F7F928748E39F42624BB93069FA9955B8423580990F14459B06DAA6E551963,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590183Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:44.664{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26318-false10.0.1.12-8000- 354300x80000000000000002591234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:48.581{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52553-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001590192Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:52.935{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D727015A9D79366B024F7CDDB68DC5AE,SHA256=E716B775CDD9319EB6F4AC73653CE725D75F2DB30B355652476C804F795DF4B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590191Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:52.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590190Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:52.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002591247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:52.612{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:52.612{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C09D212FE52A163DA45E2367EDBB35,SHA256=FCB25D6BF48FE336BE128DDDBD42E0ED318E786ABB3860FFFD1D5F66D233021Cfalsefalse - insufficient disk space 23542300x80000000000000001590189Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:52.462{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=93B7A22E8D6C184C548EF323B69851AB,SHA256=54BA5A18599D1799087F74E18A6F5F439CF40EB01FFFC3E5C97EDD2783766B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590188Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:52.355{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002591245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:52.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000002591244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 19:59:52.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d737b2-0x0ef14453) 12241200x80000000000000002591243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 19:59:52.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000002591242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:52.511{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000002591241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:52.511{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002591240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:52.511{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10e0a0b0.TMPMD5=0A3987995CAABA9D2D05576BFBDACCA4,SHA256=134B5D92AEA1E4DCEEF95C6317D978F0F8DF8AC008963BBBF96453B3409DC3FFfalsefalse - insufficient disk space 11241100x80000000000000002591239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:52.496{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10e0a0b0.TMP2021-04-22 19:59:52.496 254200x80000000000000002591238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:52.496{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQL3LT2WDPLR45DIPGER.temp2021-04-19 13:28:44.7592021-04-22 19:59:52.496 11241100x80000000000000002591237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:52.496{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQL3LT2WDPLR45DIPGER.temp2021-04-22 19:59:52.496 23542300x80000000000000001590196Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:53.939{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2530682CEC1AC0EE7FBBD8CAE46E27,SHA256=57011712AD40A6417696555955D7D0BD9BFEEC28E5713FF04215DE779A6CFC8D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:53.614{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:53.614{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38380A7151ECE97B3E4DB8B671E0E0F,SHA256=967313CEBFF68044E7F680098EA872023FA5EA0BF4305FA701C4C8BBAD3ADEA3falsefalse - insufficient disk space 10341000x80000000000000001590195Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:53.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590194Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:53.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590193Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:53.343{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=086A44424C6759904DCA516C7C3005EF,SHA256=6EE2490E9FAB131CD66DBC0CCE2C96B18DA90A74A92086A30F3BCB8439B5F3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590217Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.965{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AE0DD96A1940ACDBABADAD194DE475,SHA256=AF6605B98015A9AFFACC218D2B79031915BB88B06BC22A15F0D7E5D4DEAC0D70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:54.616{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:54.616{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4FC6D435ED8BFE5D87F92F71CB9C63,SHA256=D79729F1BE337A0D8E77FE5A5F7708DAED4B6D57634EC0940802341106E55C80falsefalse - insufficient disk space 10341000x80000000000000001590216Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590215Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590214Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.801{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5BA-6081-8388-00000000BA01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590213Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.799{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590212Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.799{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590211Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.799{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590210Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.799{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590209Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.798{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D5BA-6081-8388-00000000BA01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590208Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.798{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5BA-6081-8388-00000000BA01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590207Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.798{761B69BB-D5BA-6081-8388-00000000BA01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001590206Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:47.778{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26319-false10.0.1.12-8089- 10341000x80000000000000001590205Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.267{761B69BB-D5BA-6081-8288-00000000BA01}61523520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590204Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.123{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5BA-6081-8288-00000000BA01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590203Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.121{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590202Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.121{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590201Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.121{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590200Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.121{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590199Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.120{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-D5BA-6081-8288-00000000BA01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590198Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.120{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5BA-6081-8288-00000000BA01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590197Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:54.119{761B69BB-D5BA-6081-8288-00000000BA01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001590231Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.979{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C8C685F07A2CF1B09B4C34167EE3B2,SHA256=0D9C737C2EF81F19CD663C739806F69CDB2D743E657E71A5338BEAE9D2D725C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:55.666{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:55.666{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07252424E154850D87FD2CE974C6D015,SHA256=089C089F8B338162A1CA6541A2BD7A34F097C56CE8ADC77CF965F17270139DDEfalsefalse - insufficient disk space 10341000x80000000000000001590230Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.936{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590229Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.936{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590228Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.597{761B69BB-D5BB-6081-8488-00000000BA01}58683228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590227Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.465{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5BB-6081-8488-00000000BA01}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590226Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.463{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590225Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.463{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590224Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.463{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590223Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.462{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590222Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.462{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-D5BB-6081-8488-00000000BA01}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590221Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.462{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5BB-6081-8488-00000000BA01}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590220Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.462{761B69BB-D5BB-6081-8488-00000000BA01}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001590219Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:49.502{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26320-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001590218Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.095{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF63973A090F7B64744BCB7A2720936D,SHA256=988A02C3BE53B9A85935F611A39C3373E895364374C660D0CEC64CD89A99DAE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590235Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:56.992{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D307D43FA66F5D17804A827F583ACF48,SHA256=3030B42C932F7E32B969CD9A2D99ADA99C16C91E166A24D778439ED35B8A7663,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:56.768{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:56.768{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E62CBADBA7FA5B85A5C1C7B53EAA670,SHA256=1580BDEF727099858ECE0D09A9202EE3FC1024A950D7BD33E59706C7444858AEfalsefalse - insufficient disk space 10341000x80000000000000001590234Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:56.936{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590233Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:56.936{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590232Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:56.134{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E8F843C610FAABA2913EDB26D4A3503,SHA256=F6FECF085E0F5FE7A4F26140FEA54744D6BB2E5BD3E9A0CE9AB4F96843128CC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:56.167{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:56.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D16038D3DB75A25C6D0449EC42C5B33F,SHA256=F4A996F6B9702FE2C685638CA24B4A592FDD02479E5781CCA34A37D02418468Efalsefalse - insufficient disk space 11241100x80000000000000002591255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:56.167{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:56.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D6A63C6BE5213CE77905F9A1B566B71,SHA256=85A2A1F1A1E2B53665FF780309868D126915C764DEE3C25F55389C36D1AB6AAFfalsefalse - insufficient disk space 23542300x80000000000000001590239Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:57.996{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CA73C26C5C638DCDED2B196D524C21,SHA256=64E9138585D3469EBFDE97DBFD36C5AB47D98B74382DE6EC139346DF6A9B9CAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:57.824{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:57.824{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E41AC0302D32E6462AC4B4BD8D27FB,SHA256=A14C31D5B97280D1A252926360852D50391A7A40F0AC05A7ABD2582734CF70DFfalsefalse - insufficient disk space 10341000x80000000000000001590238Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:57.937{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590237Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:57.937{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590236Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:50.553{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26321-false10.0.1.12-8000- 354300x80000000000000002591260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:54.628{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52554-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:58.826{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:58.826{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFB2821935B0A1758DAAD17684A69C2,SHA256=742EDACF2AA726C3C34CBDC524F6734C5C2B6E0C32E805D8344B39A672EE71A2falsefalse - insufficient disk space 10341000x80000000000000001590250Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.937{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590249Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.937{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590248Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.550{761B69BB-D5BE-6081-8588-00000000BA01}29286424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590247Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.411{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5BE-6081-8588-00000000BA01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590246Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.409{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590245Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.409{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590244Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.409{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590243Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.409{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590242Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.408{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D5BE-6081-8588-00000000BA01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590241Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.408{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5BE-6081-8588-00000000BA01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590240Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:58.408{761B69BB-D5BE-6081-8588-00000000BA01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002591266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:59.829{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:59.829{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1FFD5F7D802E2879B9B5875EF775B0,SHA256=FE0B5B5EF041EE747D6B823662D15048E0F7A519B61F6A23F94DFF4F0FA24A6Cfalsefalse - insufficient disk space 10341000x80000000000000001590271Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590270Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590269Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.754{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5BF-6081-8788-00000000BA01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590268Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.752{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590267Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.752{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590266Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.752{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590265Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.752{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590264Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.751{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D5BF-6081-8788-00000000BA01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590263Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.751{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5BF-6081-8788-00000000BA01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590262Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.751{761B69BB-D5BF-6081-8788-00000000BA01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001590261Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.326{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84CAB7E331D438F2E09062BE91D66976,SHA256=3F965FD922F0088009497EA9558B2A9279EC3691746F64A7CA9C61CE853B924B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590260Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.222{761B69BB-D5BF-6081-8688-00000000BA01}64406836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590259Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.075{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5BF-6081-8688-00000000BA01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590258Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.073{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590257Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.073{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590256Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.073{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590255Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.072{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590254Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.072{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D5BF-6081-8688-00000000BA01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590253Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.072{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5BF-6081-8688-00000000BA01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590252Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.072{761B69BB-D5BF-6081-8688-00000000BA01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001590251Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:59.009{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB210A755D04021A7CA0561B90101EB,SHA256=C91A900104DA73214E42E4D0D968587924A124190F471C1703F77379A764FD9F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:00.997{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:00.997{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA034008EEA8F7F3235FD0B64C2AAEC,SHA256=A5C24A85F7077924CAF4C6D9D95BD288A4F9FBB6D8ED3C40E7D18D4788C0F024falsefalse - insufficient disk space 10341000x80000000000000001590275Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:00.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590274Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:00.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590273Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:00.852{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB530E55A707A11563216F9F3D034970,SHA256=284AC57BFA90F30A7735C2E48254D110E6B5CBB81EA8108A65804639BE08633A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590272Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:00.016{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663DF9147D2B8F3355AE6F1CF9B00421,SHA256=B49F0D323018E7A0D123EF1185BD2994025B2B9B961586BE57E90BFADCD8A557,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:01.217{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:01.217{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79ABAA4104C6E514B1B829ACE941C9C2,SHA256=D24B2FFABEF56F44A93B4C849A85F7D0CE2906C387BA8680A29AB6E0C3F1CCCBfalsefalse - insufficient disk space 11241100x80000000000000002591270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:01.217{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:01.217{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D16038D3DB75A25C6D0449EC42C5B33F,SHA256=F4A996F6B9702FE2C685638CA24B4A592FDD02479E5781CCA34A37D02418468Efalsefalse - insufficient disk space 10341000x80000000000000001590279Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:01.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590278Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:01.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590277Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:55.500{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26322-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001590276Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:01.020{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3259BDF1085245E87CD94EBECEA2BA71,SHA256=24232FC01E5829CD1DA3CFE8CE170064E5DFAF5EDA7C10C0A08F3FC0708280DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 19:59:59.677{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52555-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:02.181{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:02.181{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D237D439A0EB790C434B5D0550CE0F,SHA256=964CBE890D127AC363C983D5F106D4A8603E410BEE8EB0FDF333741AAF9798D2falsefalse - insufficient disk space 10341000x80000000000000001590284Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:02.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590283Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:02.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590282Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 19:59:56.449{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26323-false10.0.1.12-8000- 23542300x80000000000000001590281Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:02.024{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBAD02C8589464DCB93270BBD5C5EF7,SHA256=173936D18CD320C9E8E7BEED28D0EBA4373C4AEA28705AD3838430170033FF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590280Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:02.016{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20B11B8E1FE7EB80CCAD63381DF99C76,SHA256=2AE2A064C65B46C62E4D8311144EC1B2BC0B015519BF5D6FBAB64EBBACACD05F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:03.422{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:03.422{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B630863AC4D87C386D7F869B2C9936A6,SHA256=2D1AD71886E39291DF9CC414F2353C8F8AC0CBB5610E60FAAFE1C50DA582D811falsefalse - insufficient disk space 10341000x80000000000000001590288Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:03.940{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590287Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:03.940{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590286Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:03.394{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6618C81A70F9432A4AE7C571BC391EB7,SHA256=DE4FB2D7B3064449D10121DF8A6EE9F25D8E8F9F94FAD048B8C09890340BF194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590285Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:03.034{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0E5D880AE62EBD5E3D99425F3BB35,SHA256=0F6467D748F2CEB8317F8E5F338C90843E2CD44A56105D5A8758DCC49B1634C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:04.504{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:04.504{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799AF2DC69CEC38D1316850FD90B2FDF,SHA256=11C1D04D8AC65DAB8DB4638DCD6611B51AC70245D4143080986557D7EDC07724falsefalse - insufficient disk space 10341000x80000000000000001590291Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:04.940{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590290Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:04.940{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590289Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:04.039{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F80F2324E972579C948B0554851D67,SHA256=994EFBBFCD165C9B05236E5E19BCA11DDE4D2F8A79BC3F0148E0FACC3A4F00C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:05.558{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:05.558{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0367224C82C9A0B56453DAE7802825B7,SHA256=AA5E6AE965B52C937C9F2FAEF0040633C508FDF1BD95610DE686ED4763E71DCAfalsefalse - insufficient disk space 10341000x80000000000000001590294Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:05.941{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590293Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:05.941{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590292Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:05.044{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1DEFF95CB0A7BB496DF378E2FB2F3C,SHA256=D0366756F32302C530EE41F0DD110F288661C2009594F8C315F81BF6C80CF394,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:06.591{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:06.591{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501498E4E26C23F191756C91AD6F0A10,SHA256=938224F813ED12B8E9FACA09956FCD84357598729E722509A877D61DF4153DB9falsefalse - insufficient disk space 10341000x80000000000000001590297Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:06.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590296Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:06.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590295Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:06.049{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0414E6B50265F2DA8B6AEBF18287C9,SHA256=050194B8687DFC566B6C250CE6C761E952134B495F1EA776B02175C51D7322A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:06.275{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:06.275{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE84DE994197D487641B516B333B2B21,SHA256=FA999A741A703D27D9ABB9D0FF716F1928B34867750F78B053749FF50B3BF5B2falsefalse - insufficient disk space 11241100x80000000000000002591283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:06.275{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:06.275{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79ABAA4104C6E514B1B829ACE941C9C2,SHA256=D24B2FFABEF56F44A93B4C849A85F7D0CE2906C387BA8680A29AB6E0C3F1CCCBfalsefalse - insufficient disk space 11241100x80000000000000002591290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:07.613{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:07.613{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559EBE2D2BDA656D73663C3F4438830C,SHA256=999444EE0CA5068FD710CA4F45EDA7AAC86A6776757F59475851A4991D61C9E2falsefalse - insufficient disk space 10341000x80000000000000001590301Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:07.943{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590300Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:07.943{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590299Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:07.152{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A72F1D9CC548C1FECD198D2A359262,SHA256=424641B8CBA469C3354BF78C64E1E0727ED4D6B766AEC0B31B9F51EE24A78C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590298Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:07.132{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC139BDF6DFA06B29AB7C7FC0C0BDFF2,SHA256=47D85E56115E359B7C3F48429FEEC1287B1BAF5545310FD45F758FC9EB7DA34A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:04.704{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52556-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:08.650{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:08.650{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FA96722324A3EAAC54D6C916C4AE5D,SHA256=9F82B26369A1CF59F12E97B352041F5CD68FC6BC265699CC7785C8299CF98B7Afalsefalse - insufficient disk space 10341000x80000000000000001590305Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:08.944{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590304Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:08.944{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590303Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:01.585{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26324-false10.0.1.12-8000- 23542300x80000000000000001590302Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:08.140{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE5AB4970FD6D7F785602DB9C9545F0,SHA256=7D14271D7D892BB53256098CA146BAC56DEAB0AB62C2F174212AAE788E30FB7B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:09.668{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:09.668{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320C67631DC463096178DCA67599BB7E,SHA256=5C57D99C294979AD89D3E6378736996F764B3E1E5E0FA8BC0334EB9965A79E9Cfalsefalse - insufficient disk space 10341000x80000000000000001590308Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:09.945{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590307Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:09.945{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590306Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:09.149{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4339545CA329F10F74551895B2710EE,SHA256=FBA069339E82B856DB0A26DD92D3B12BC74F5827BA92910E2758096280B0D4D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:10.670{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:10.670{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AA1E9261254DDC1D8109FC597DAD34,SHA256=840E1ED0BB05EC196B056295C234DF78788A76C0DCAAD0852162932F6D8DC206falsefalse - insufficient disk space 10341000x80000000000000001590311Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:10.946{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590310Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:10.946{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590309Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:10.152{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC71D65DDBDFB6B6D1C733E8C6D20115,SHA256=23D188919C086DD13E675A0B7347AA5CC3A1FE2828B86D94B918212382251147,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.757{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.757{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB3FC2AEB7F618EF2F670C051DE9B5,SHA256=7F138927E6927D3D900207DE528070323DDEB451ED7C10986F43665EE5069D0Dfalsefalse - insufficient disk space 10341000x80000000000000001590314Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:11.946{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590313Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:11.946{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590312Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:11.155{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E9D987A1C0FA2EAA28C08016CCEFA1,SHA256=6D84639A04DA9BCBD7619A96839A3C84FE1252F4CF7705F3D7DA92B0B017775F,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002591352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.272{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002591351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.272{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002591350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.272{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002591349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.272{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002591348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002591347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002591346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002591345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002591344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002591343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002591342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002591341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002591340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002591339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002591338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002591337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.140{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002591332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002591331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002591330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002591327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002591326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002591325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002591324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002591323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002591322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002591321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002591312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002591311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002591310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002591305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.124{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002591303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:11.119{21761711-D5CB-6081-2B8A-00000000BB01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002591302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:11.118{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:11.118{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:11.118{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:11.118{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:11.118{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:11.118{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002591361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:12.760{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:12.760{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4852CB54ADE423145F60344AB98D0EEB,SHA256=128C2CCADA26D93B62812D845E0FC0D1C7324EB79BE01C8A19B510EE3DA26078falsefalse - insufficient disk space 10341000x80000000000000001590317Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:12.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590316Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:12.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590315Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:12.160{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6893506D48D50A2B46F49BA5876269,SHA256=3AF42CE495F2AD304F3E6638D22FAF4983A17BD4DA72ED8FB19A55DA384399A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:10.483{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52557-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:12.105{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:12.105{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4611F82DEB9C69662167CA694747595,SHA256=4E264826A45B9FBD44B4EEBB1DA57EDE48F14A639941CCF5E29A06BB9AE548D0falsefalse - insufficient disk space 11241100x80000000000000002591356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:12.105{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:12.105{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE84DE994197D487641B516B333B2B21,SHA256=FA999A741A703D27D9ABB9D0FF716F1928B34867750F78B053749FF50B3BF5B2falsefalse - insufficient disk space 11241100x80000000000000002591363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:13.978{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:13.978{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6386A0C2A1AA78E4E631345BE036E16E,SHA256=53EC03D4C98CFF04E983D796D049E1443E791FE6EC7FE70B0D82CD60E9E9DE78falsefalse - insufficient disk space 10341000x80000000000000001590322Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:13.948{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590321Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:13.948{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590320Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:13.165{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14EC40C93876E43DBC009273BDC1125,SHA256=D407725AA272BD88DBC4C8D27EC70AEC10AAEE87E0C27379E8DF4E9DFCA29AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590319Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:13.139{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98AF0F372D12962C2D85726C731749E4,SHA256=6E3FA6C90B70B9E8DEDB115A55F785E13C9FC06E005A6595AD4AF46FBDFF86EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590318Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:13.138{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78411FA52B0AD05B0C19E7E4E44D1C23,SHA256=00AE0D11989E25774918F25C3D9BC357B39D39A8EE3078A10E038A3E01B1E4C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:14.981{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:14.981{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB39061C1D6D98269B7B4D071F8B9DD6,SHA256=5A6588C0DFDCD6696B22C6AC667B1D30AAE8CEC01DA6AEA32BC53DAB5ECDCD7Cfalsefalse - insufficient disk space 10341000x80000000000000001590326Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:14.948{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590325Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:14.948{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590324Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:07.467{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26325-false10.0.1.12-8000- 23542300x80000000000000001590323Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:14.175{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CB6930982AFC42718CF35784D5A462,SHA256=8CF6E3F51FEFE94907568AE739982CB80F40F985DD5AAA91D1C7FAFB0A1C6F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002591367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:14.649{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RF10e0f73c.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000002591366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:14.649{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RF10e0f73c.TMP2021-04-22 20:00:14.649 254200x80000000000000002591365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:14.649{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\u0cyjppd.tmp2021-04-20 20:22:02.3742021-04-22 20:00:14.649 11241100x80000000000000002591364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:14.649{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\u0cyjppd.tmp2021-04-22 20:00:14.649 10341000x80000000000000001590329Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:15.949{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590328Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:15.949{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590327Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:15.179{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA194F2E6458173FD0074E0D11FB7DF,SHA256=18D13F673E67592BE594C3B4E51B9CF0D7F983DD45FEFF2F4188080011440934,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002591425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.867{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002591424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.867{21761711-D5CF-6081-2C8A-00000000BB01}9845176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.867{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002591422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.867{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002591421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002591420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002591419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002591418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002591417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002591416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002591415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002591414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002591413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002591412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002591411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002591410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002591409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002591408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002591407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002591406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002591405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002591404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002591402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002591398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002591397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.736{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002591395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.735{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.735{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.735{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.734{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.734{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.734{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.734{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.733{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002591387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.733{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.733{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002591385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.733{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.732{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002591383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.732{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.731{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.731{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.730{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.730{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002591378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.729{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.729{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002591376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.714{21761711-D5CF-6081-2C8A-00000000BB01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002591375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:15.714{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:15.714{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:15.714{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:15.714{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:15.714{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:15.714{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002591542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.917{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.917{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8C6A273C739B90EF7CB4E36F1D72B3,SHA256=E94F64905D6763990B8DF308FCD096B4145AAADACBF572C3FECE08A7D6F8124Ffalsefalse - insufficient disk space 734700x80000000000000002591540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.901{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002591539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.901{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002591538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.901{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002591537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002591536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002591535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002591534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002591533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002591532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002591531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002591530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002591529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002591524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002591523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002591521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002591519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002591518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002591517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002591516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002591515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002591514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002591512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 10341000x80000000000000001590336Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:16.950{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590335Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:16.950{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590334Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:16.192{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1586B2BDB3355DB77B2AC2545B5C97,SHA256=A4CB26DF92D0831B1B4415A597E45398CDAE3EA8F5407805A082F37E34B608F2,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002591504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002591503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002591498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.886{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002591496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.871{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002591495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.870{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:16.870{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.870{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:16.870{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.870{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:16.870{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002591489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.716{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.716{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4611F82DEB9C69662167CA694747595,SHA256=4E264826A45B9FBD44B4EEBB1DA57EDE48F14A639941CCF5E29A06BB9AE548D0falsefalse - insufficient disk space 534500x80000000000000002591487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.434{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002591486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.433{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002591485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.432{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002591484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.432{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002591483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002591482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002591481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002591480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002591479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002591478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002591477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002591476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002591475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002591474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.300{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002591473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002591472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002591471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002591467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002591465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002591464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002591463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002591462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002591460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002591459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002591458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002591452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002591451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002591450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002591447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002591446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002591445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002591444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002591441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x80000000000000002591440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002591436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.284{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002591434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.271{21761711-D5D0-6081-2D8A-00000000BB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002591433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.268{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:16.268{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.268{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:16.268{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:16.268{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:16.268{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002591427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.268{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:16.268{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B77830EE38DD43C7E4522957932C36,SHA256=752A4445E488FEE959D8FC4CB9FC05C60CE01F3AADFB6B162A4D7032D420891Cfalsefalse - insufficient disk space 10341000x80000000000000001590333Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:16.048{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-D5D0-6081-8888-00000000BA01}3964C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590332Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:16.048{761B69BB-818C-607D-1600-00000000BA01}13046212C:\Windows\System32\svchost.exe{761B69BB-D5D0-6081-8888-00000000BA01}3964C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590331Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:16.046{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590330Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:16.046{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590340Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:17.950{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590339Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:17.950{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590338Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:17.195{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E908785904A6325CE519C66F8E57016,SHA256=081FDF6C0CD881538F17B0362137B8B85627C4114623B3B17B40B075F692FD04,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.872{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.872{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD6FFA27F99DC767BA4EAB8F561955BE,SHA256=49BEB8DA09FBC6FCC6AD44E0F92AD2F3902EF2DAB1773780376C492424617778falsefalse - insufficient disk space 534500x80000000000000002591607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.672{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002591606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.656{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002591605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.656{21761711-D5D1-6081-2F8A-00000000BB01}38446540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.656{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002591603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.656{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002591602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.536{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002591601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.535{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002591600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.535{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002591599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:17.534{21761711-D5D1-6081-2F8A-00000000BB01}3844\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002591598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.534{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002591597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002591596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002591595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002591594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002591593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002591592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002591591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002591587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002591584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002591583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002591582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002591580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002591579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002591578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002591577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002591576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002591574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002591566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002591565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002591564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002591559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.518{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002591557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.505{21761711-D5D1-6081-2F8A-00000000BB01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002591556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:15.715{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52558-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 18141800x80000000000000002591555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:17.503{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:17.503{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:17.503{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:17.503{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:17.503{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:17.503{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002591549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.503{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.503{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D32F697588BFCBB1A0DEFE507D0793D,SHA256=D48FC9B460F0C90FE4EC6B1C23D195A9A0FC0B2279E483171DDD54AC98E90A12falsefalse - insufficient disk space 534500x80000000000000002591547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.033{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002591546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.017{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002591545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.017{21761711-D5D0-6081-2E8A-00000000BB01}8206736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.017{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002591543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:17.017{21761711-D5D0-6081-2E8A-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001590337Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:17.051{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98AF0F372D12962C2D85726C731749E4,SHA256=6E3FA6C90B70B9E8DEDB115A55F785E13C9FC06E005A6595AD4AF46FBDFF86EA,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002591725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.975{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002591724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.975{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002591723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.975{21761711-D5D2-6081-318A-00000000BB01}52003748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.975{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002591721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.975{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002591720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002591719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002591718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002591717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002591716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002591715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002591714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002591713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002591712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002591711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002591710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002591709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.844{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.843{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.843{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.843{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002591703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.843{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002591702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002591700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002591699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002591698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002591697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002591696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002591695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002591694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.842{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002591692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002591685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.841{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.840{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002591683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.840{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.839{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.839{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.838{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.838{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002591678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.837{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.837{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002591676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.822{21761711-D5D2-6081-318A-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002591675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.821{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:18.821{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.821{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:18.821{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.821{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:18.821{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002591669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.537{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.537{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E33902AD5B3CC7A6ED1F7BF2B2C728,SHA256=A4062A765F99F702BACE9BB4F97759BEC96DFC596096C8931931754AA8CEFCFBfalsefalse - insufficient disk space 10341000x80000000000000001590345Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:18.951{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590344Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:18.951{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590343Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:12.602{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26326-false10.0.1.12-8000- 23542300x80000000000000001590342Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:18.199{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2BB8CCA16213B8A8B3A2D011414621,SHA256=1D68DA44F491C3D1808532ECD52A887C82830AAD84E69A73AAF1E028DEF757F3,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002591667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.289{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002591666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.289{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002591665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.289{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002591664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.289{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002591663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.189{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.189{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3752B19FFAF34DAE549C64E2B460CA98,SHA256=8345D568D2B86623FF24831D87E662448691521AF45DC895453B6E4F0BF19BB2falsefalse - insufficient disk space 734700x80000000000000002591661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002591660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002591659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002591658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002591657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002591656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002591655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002591654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002591653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002591652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002591651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002591650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002591649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002591648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002591646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002591645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002591643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002591642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002591640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.157{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002591635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002591632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002591631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002591627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 23542300x80000000000000001590341Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:18.171{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF5A70149146F9A5CA5239CB66770564,SHA256=5167F2E1E58399C06051E8A0221F3138EA0F3C5659EFF1CCFA53EC0DD1C60C56,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002591625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002591623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002591618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.142{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002591616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:18.136{21761711-D5D2-6081-308A-00000000BB01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002591615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.136{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:18.136{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.136{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:18.136{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:00:18.135{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:00:18.135{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002591729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:19.661{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:19.661{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A98D7369E8BA6E49340DF931BBE6731,SHA256=0D526C05F2375AAD57577FED87B47EAEFAE15C018A5BC35F3813E6428B1D8ED1falsefalse - insufficient disk space 10341000x80000000000000001590348Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:19.952{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590347Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:19.952{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590346Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:19.202{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5542AC3F31EE1AA749E3DA2FCF5E321,SHA256=070F6DA59E21B4C2F138D16F7A07AED17E5C7A4E4D67CC500A8D551D57358A67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:19.360{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:19.360{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=770BB4C7B894CD908D0A1A61AFA8B027,SHA256=F7DF3A34A4188E1B5DD28BF4853898CC786218C92C8115E7DCCC158781682754falsefalse - insufficient disk space 11241100x80000000000000002591731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:20.664{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:20.664{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305F0905FEC51FF00361CC6F16B55623,SHA256=20F7B8ABD690E9398AB1736C18F07917236137A435D79A517272499015EDF412falsefalse - insufficient disk space 10341000x80000000000000001590351Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:20.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590350Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:20.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590349Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:20.206{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A829A1F998501C8109AC4CC83904FF84,SHA256=0F77EAFB9E9BE155632E54DF98CB564E4D03040E3113680567916794F9EEE661,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:21.682{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:21.682{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F94B09BE95524652E82A4B5E772BE5,SHA256=5149727F90FCD55409F958B25EA929C9430BC341EB42019DD71182EFEB8A39D0falsefalse - insufficient disk space 10341000x80000000000000001590354Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:21.954{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590353Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:21.954{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590352Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:21.210{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4177EED5FF280034F4F9520E8A414788,SHA256=976B4A5882E33A605C1BE3500B79BFCA2538342D805D22DACED12F0EA956AEC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:22.684{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:22.684{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9691BE3889B3553BB62847FC5511981C,SHA256=C7B33676C21BCE66C8F1A866694C85FAD06B48FF371F7B562D0CDB7EEC332519falsefalse - insufficient disk space 10341000x80000000000000001590357Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:22.955{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590356Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:22.955{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590355Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:22.219{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8040AC7B1D42D8BAECE9DD3FE553B35A,SHA256=AF0916EF5D5DB1F56412382BAC3A1D60C5B3A6517C763FC605DBEB359F55307A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:21.545{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52559-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:23.718{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:23.718{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E17994ED6BD53E3C8F381C7F708AFA6,SHA256=5C56FD571C2A4BD4D3A5F0F15FD6DF52AA1D402AED81A53109A724C41F054C20falsefalse - insufficient disk space 10341000x80000000000000001590360Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:23.956{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590359Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:23.956{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590358Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:23.238{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AD2EB53FCD8A0A12095A68C0849720,SHA256=CED9BACE3CCDEA7EAF8AE504EFC1A3C2D09C8664B17E29B7A40A86348FEAD3B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:23.100{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:23.100{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87CB9A6168C2FD79081615A914FF309C,SHA256=91FC87466F0842DDC964B85624A99BC5E1DE50D55889277F22E7756B5F735BB2falsefalse - insufficient disk space 11241100x80000000000000002591742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:24.720{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:24.720{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA36EFAD0856FCB7E145B2AD95716EC,SHA256=E1330DE9C39EE796B89EA99844A17E636DAA8059C3F8EEA8B70B6B8AF9834B3Cfalsefalse - insufficient disk space 10341000x80000000000000001590365Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:24.957{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590364Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:24.957{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590363Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:24.242{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35DBE79D9D45667CC28827B90383665,SHA256=32D1E16E0F0057B3FEDB40733C5475487BA6411D41EBF4BDD9E24CB7295656A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590362Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:24.138{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DF01307341B6C052C9A2FFB90D770C9,SHA256=9D053253957CFEF3243D48C125B0B1179F5E7C8A9FC218BD6DCFF06F9CD900B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590361Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:24.137{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5E4BEA254A987716A021CFB7098AA23,SHA256=6CC9E97A618038CF706946DA13AC9700FB01414B8E9628D3A3CF8D4A85D2FA97,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:25.958{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:25.958{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12554584C8CB848EE192C5CC8D8C7707,SHA256=5598C50D7970B4903196016CCA660AEF7D418A41F0A3E1FA022CE1701CCAF6AAfalsefalse - insufficient disk space 10341000x80000000000000001590370Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:25.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590369Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:25.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590368Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:18.499{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26328-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001590367Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:18.492{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26327-false10.0.1.12-8000- 23542300x80000000000000001590366Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:25.250{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33CCB09516D6F03EDAF8ECE7A2FCB88,SHA256=6B7DCEE4B97E5AA337D2BFB4F84571526AE24C250CDAD34D30F225A085BC4E1C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:25.337{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000002591743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:25.337{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=22D700D142330F59EAE40C7BF334E2D7,SHA256=80AD9DB04CFF70AC8120A9C58CCB5BD9598AC222AAE622A80198934E73809B35falsefalse - insufficient disk space 11241100x80000000000000002591748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:26.979{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:26.979{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76AE8DBEEBA9E8847E63F231156AD84,SHA256=6D4400B279BB6AF9B06A40D2509F24F1D330C8D16C4DE9C1B7FFBA52C9254842falsefalse - insufficient disk space 10341000x80000000000000001590373Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:26.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590372Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:26.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590371Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:26.254{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F969177D80E1BEBDB7594EBADF74354,SHA256=8FD92387A1848D9ED3F3C5BA924B5951A07340AB229BA9B324EB4AC93D23E73A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590376Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:27.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590375Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:27.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590374Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:27.259{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF7E699C233397C794838E7101E41C4,SHA256=315965EEA0BB4A47450A28843E6CB0541ACBF3EF39634A5B3E340DD512A31E92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590379Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:28.960{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590378Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:28.960{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590377Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:28.266{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E9B87E003E07A838A50F3D97E6476C,SHA256=A7B7D5CDACBE3DE41179370D05BD889160283BEFE06DED2F70772F37E52BC333,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:26.573{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52560-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:28.113{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:28.113{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4242B096FF7F52F8811CC783FC654494,SHA256=ECE4A97B6502E6FAD1E0811E4317361AA1D8DF66F8102F5BD2638B8E5AF71AA1falsefalse - insufficient disk space 11241100x80000000000000002591752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:28.113{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:28.113{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CFB4697DA193F1CD58191A86A07A3C,SHA256=FAE48A111D607B7B372E080F5D8301B041988EC4135D95B5A705C5F7252271EDfalsefalse - insufficient disk space 11241100x80000000000000002591750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:28.012{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:28.012{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBC6EFB2B7CD4C03AA2F7A40D98F442,SHA256=BCFC454036B4E7D71A6443E0AF598F460B3517D9F319F7E6D090D7762CD43623falsefalse - insufficient disk space 10341000x80000000000000001590384Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:29.961{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590383Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:29.961{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590382Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:29.270{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D8AE8D1036E86BC82A316E204454D0,SHA256=84F5DA51CBE1032695562BED5F53A42EDB4253DF8E3A84EFE2EE0D6C62F1B26F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:29.031{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:29.031{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F46FEC3B44679CDBE7250D018EB155,SHA256=BAB332482CBF45F4DA8F546EBA52D13DB3411CB45BAED11E364868A4433D4212falsefalse - insufficient disk space 23542300x80000000000000001590381Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:29.199{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5138B9AF96E7C6CC2A37B03A95592F6E,SHA256=26638446B0206CBB1B93AF2CDD54F26B6DF842807C160E022DA56E26D138DB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590380Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:29.198{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DF01307341B6C052C9A2FFB90D770C9,SHA256=9D053253957CFEF3243D48C125B0B1179F5E7C8A9FC218BD6DCFF06F9CD900B3,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002591761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:00:30.349{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002591760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:00:30.265{21761711-D563-6081-218A-00000000BB01}8012c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002591759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:30.066{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:30.066{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B26822D8576041635321EACF322670,SHA256=CBFB348DBA19A58201BDA71C2FD7CF05B40998D6A80B95AEA0943220D4B2C318falsefalse - insufficient disk space 10341000x80000000000000001590388Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:30.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590387Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:30.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590386Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:23.620{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26329-false10.0.1.12-8000- 23542300x80000000000000001590385Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:30.273{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC59297D89EADF5AE9C1CFDBB6F44FC,SHA256=5AF1E793AF0ED92CA6018BB1A00D9C9ABB9709A54117B06846D16123BD2FADAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590392Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:31.963{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590391Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:31.963{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590390Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:31.648{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5138B9AF96E7C6CC2A37B03A95592F6E,SHA256=26638446B0206CBB1B93AF2CDD54F26B6DF842807C160E022DA56E26D138DB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590389Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:31.278{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF96FDC7D9B96A767753115A23DC67F,SHA256=20929C4B602EABF4B880239FF130E30C46D08CAB28E9C2F9DEE830473BE973DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:29.813{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52562-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002591766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:29.728{21761711-D563-6081-218A-00000000BB01}8012C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52561-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002591765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:31.269{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:31.269{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4242B096FF7F52F8811CC783FC654494,SHA256=ECE4A97B6502E6FAD1E0811E4317361AA1D8DF66F8102F5BD2638B8E5AF71AA1falsefalse - insufficient disk space 11241100x80000000000000002591763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:31.120{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:31.120{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDBA667889EF05444582018C61B15EC,SHA256=D4B5AC25FF9101CC2DCF125EC35C554390086E4427BB303D41714CCBD1574091falsefalse - insufficient disk space 10341000x80000000000000001590398Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:32.963{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590397Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:32.963{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590396Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:26.075{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local26330-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001590395Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:26.075{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local26330-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001590394Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:32.311{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\datareporting\aborted-session-pingMD5=759F21BD36F92E62DB128AE967DD83DA,SHA256=A40E9DEB2F54CF0027592C7238FCE923A95C4C3601246FC9BEA46C1FC1E5DC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590393Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:32.292{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C958DF496A3E054DEE3F68A35E34B9A,SHA256=7A20DEF01C53957A303212E5416074EC25FBE69929FFCCB064616A077F7E3CAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:32.122{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:32.122{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5B400208B0275593FD76540A943E0E,SHA256=30BD68FA2E3509EE1519805C68D76D28913CEE309249B4880BAFEDDB157F5493falsefalse - insufficient disk space 10341000x80000000000000001590401Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:33.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590400Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:33.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590399Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:33.301{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522B747D0EF8B6A83FD26D122F9A922D,SHA256=DEEDAA7CD310A4A68B1582C4F6229AEC7F01059D6AA927A8CE572752493C71F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:33.178{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:33.178{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C264A1E6A1F9F09FBFADF2F35B296826,SHA256=53AA8E621C9BF5F8E2661C0C633D4E6D946DCD844C9B2024144357BFE2EC6760falsefalse - insufficient disk space 11241100x80000000000000002591771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:33.156{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:33.156{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA12D9EE98263DBC24CB20EF0DDACA1D,SHA256=00BAF5B0EB253F4473459C42A339FF4A0918C3FD516A762E1A1D69A6BD0719E2falsefalse - insufficient disk space 354300x80000000000000002591776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:31.632{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52563-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:34.158{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:34.158{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F580FA7FD0B5020C6344F11EC54B2B6,SHA256=83B8BA3F8181956C4F17B45F82E33D2E89DD7812A0435BAF99D00FA902257E7Cfalsefalse - insufficient disk space 10341000x80000000000000001590404Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:34.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590403Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:34.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590402Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:34.304{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC7A84C7E508DE3E7CC6DDA48DF5E45,SHA256=CAC08B0594067EF0D79867F6E9757EEA62A573202684B11DC5DE1A22D5D8E843,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:35.847{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-04-22 20:00:35.847 11241100x80000000000000002591779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:35.847{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-04-22 20:00:35.847 11241100x80000000000000002591778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:35.161{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:35.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD81C6A4521D09C9924CDEE541BE799,SHA256=BC97BE240580B7B731979F7FA3BDC1E0E8B618244A7DFA75F93FB5C12838FD58falsefalse - insufficient disk space 10341000x80000000000000001590408Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:35.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590407Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:35.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590406Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:35.307{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE13BED697F5BA44EC62819F6920C667,SHA256=268661D102AF5246167EEBB809745EFA45AAEA923CC42EBB81A77609F2002B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590405Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:35.084{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF08BDB6CA5061DA5B59679C6E6E9851,SHA256=934EFEA1CD83310594ACE17CC75985524A2C50707F5D5EC92850F5D5C071DE98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:36.163{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:36.163{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE75F03D35D2BCFA0B43FA32C8DA658,SHA256=7B8E142613FB8FEE5C64119C32EBA9A620F01E75D6913CBD8B11BDFE758CE579falsefalse - insufficient disk space 10341000x80000000000000001590412Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:36.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590411Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:36.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590410Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:29.520{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26331-false10.0.1.12-8000- 23542300x80000000000000001590409Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:36.316{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733381E1D5E8C84527EE8EE4DB8CAFB0,SHA256=C39278C37D889D76938F30739B56AFA94137174D288062434618BEEC12BF9706,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:37.165{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:37.165{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9B8F5381D9215E5CFEFE3BB0E00DA7,SHA256=FA87600034F702B286BD8E3C604509B478A8F646EE1D894BCC61C865CE64CD3Cfalsefalse - insufficient disk space 10341000x80000000000000001590416Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:37.967{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590415Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:37.967{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590414Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:37.322{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338985FC650A17F50ADB5F9285034523,SHA256=685F325FE5F9E77E8D8D22196C21FECB82CA147C57462A34A5E431A0B5D12042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590413Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:37.197{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=301AEFB6B704E9E8A0F3E4D843E7EDE8,SHA256=D2BD3C22B4676BE12644C6FC26898918E684BDB1FBF04D7179444F3075E1C4F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590420Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:38.968{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590419Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:38.968{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590418Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:31.630{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26332-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001590417Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:38.327{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F1CF6DF0783E727601FE3CC30FD519,SHA256=356796C0E00A87F46795565349C08333D0558F128969840C405FA64B61EAF61F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:36.666{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52564-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:38.286{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:38.286{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A035BE0435C6B00148E7BD2C97ED107,SHA256=060B5033FCDFB029F1CDBDC8935D37FEB058DF7A66BBDA94AD799EB40E2524E5falsefalse - insufficient disk space 11241100x80000000000000002591788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:38.252{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:38.252{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E94F373B5087B9A9DD739D62B32351,SHA256=8BEEF8C1B478681479E5F7B5F717C271DF471DEC5823A21E571924C3CB388BF3falsefalse - insufficient disk space 11241100x80000000000000002591786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:38.252{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:38.252{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EE15BA6B3ACFDAA5F963F3B96D99F2A,SHA256=0388BCADBCB3EC524EDBF92CE29408AB0FDFA5F41DFD76067ECAD60F64379CE8falsefalse - insufficient disk space 11241100x80000000000000002591793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:39.308{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:39.308{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B31FAF29FE2AED275410A6EA52AA38,SHA256=FE3FD5E0E190AD030498A05DA19111DB42BA0A777D589910319E9DB04A570BF4falsefalse - insufficient disk space 10341000x80000000000000001590423Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:39.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590422Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:39.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590421Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:39.330{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D57CEE81021D2C42E9EC739C080D7CF,SHA256=85D491EADD4D714BC2FB760CEDDE7F125A4553C0F0FEF9EE2FB56EB452A64A53,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002591796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:00:40.357{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002591795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:40.311{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:40.311{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D645B6BFCA62BB82DAF5CF746DEC6F5B,SHA256=7DF84DA5FAAA021AE1E4EB155FB75EA80BDA8FF63FF847E8956B7CB01623422Efalsefalse - insufficient disk space 10341000x80000000000000001590428Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:40.970{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590427Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:40.970{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590426Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:34.650{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26333-false10.0.1.12-8000- 23542300x80000000000000001590425Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:40.334{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBFC3D5BF211E5D15FAE0DD05DF8B9B,SHA256=35D980823E9F0742D7BCA890A2F1043B6446C5171B1BF852C8360ED1AB88E0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590424Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:40.231{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3BA57804BFF39EB4E4B4594E23D6FCC,SHA256=D93C35AB60E61FE50F43DFF12E503B27428AB21DDEA3D99B62C3543B0A579713,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:39.820{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52565-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002591800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:41.360{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:41.360{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E94F373B5087B9A9DD739D62B32351,SHA256=8BEEF8C1B478681479E5F7B5F717C271DF471DEC5823A21E571924C3CB388BF3falsefalse - insufficient disk space 11241100x80000000000000002591798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:41.329{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:41.329{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56F39082E330416C7B6B8F593F7FA1E,SHA256=558562E8B6927E81ABD66B326A0771FC29F1A6E0FA5FDBEFE58DA0364B6961B7falsefalse - insufficient disk space 10341000x80000000000000001590431Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:41.970{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590430Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:41.970{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590429Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:41.337{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A62A6EAFBCD523EECFCA3880327454D,SHA256=BC40E1B45F2B95CBFCD49F27AD85DC1102762FF7A1D2E7CC53DFDCA2C3C6AA1C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:42.563{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:42.563{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE9ACE5936144772BA262A1E39B033F,SHA256=15C1BE677CBCA18B0B7E7445AE181F5B55C32513DDDF3D7F55889999CA6BDBC7falsefalse - insufficient disk space 10341000x80000000000000001590434Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:42.971{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590433Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:42.971{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590432Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:42.340{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0560C2CC6E67B33CC1D6AD7BE76C1680,SHA256=B9A070D6A7DAC746201BEAEF8F15F424B81E88B410931A1C76CD49E064E4F610,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:43.734{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:43.734{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF846F2649A049FDC5A181D491DCD905,SHA256=72707ABB482608771103A4E0596B8F80783C0D3B4A55CA18E8B6CFA249A1155Ffalsefalse - insufficient disk space 10341000x80000000000000001590437Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:43.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590436Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:43.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590435Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:43.344{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8036B2D0D74A22730E6104BDEECEB7A9,SHA256=1789746115CA97073E78574E152D60515E6E8496ECE087D3B9FFAD0E320E6010,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:44.737{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:44.737{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9491295E0CFDE63E38355DF0A744430C,SHA256=4E16E17188FB933134417A5B58D41FFEC6892AA22DF8CB9C47F232DB358AD97Cfalsefalse - insufficient disk space 10341000x80000000000000001590440Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:44.973{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590439Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:44.973{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590438Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:44.350{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3226783E2AA5E92CBC9C0B5F03022142,SHA256=12D514FD43ED3A3C6D1A03A2939F1AE3D20F5C5DF0D5483166D619688DA19E93,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:44.203{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:44.203{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99910A0DB6896650EA665D469EF86EF8,SHA256=D5A6C7D6FA5C790B640B9C2B2CE47A285836F6A83FBF9E84A5202F9C2F7B2FC6falsefalse - insufficient disk space 11241100x80000000000000002591826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:45.770{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:45.770{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C5F7F5136743FF75674AEAA3CB90E3,SHA256=1DD6644C11273CBF742CC1C6175F98E0364E11C60776FFD71670DE34E21A9C73falsefalse - insufficient disk space 10341000x80000000000000001590443Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:45.973{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590442Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:45.973{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590441Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:45.353{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F482651D7FFDE962F237289DDD6710D2,SHA256=199B42C733C8B9F467A6312C354CEBA4F55FC50EAFF8C165088598886262C8D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:45.254{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002591823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:45.254{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 13241300x80000000000000002591822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002591821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x10e16e12) 12241200x80000000000000002591820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000002591819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d737a9-0xcc1a964d) 13241300x80000000000000002591818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d737b2-0x2ddefe4d) 13241300x80000000000000002591817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d737ba-0x8fa3664d) 13241300x80000000000000002591816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002591815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x10e16e12) 12241200x80000000000000002591814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000002591813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d737a9-0xcc1992e4) 13241300x80000000000000002591812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d737b2-0x2dddfae4) 13241300x80000000000000002591811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:00:45.069{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d737ba-0x8fa262e4) 354300x80000000000000002591810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:42.661{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52566-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:46.857{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:46.857{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E360C33EF9A74A420F0D208AA60CFEA1,SHA256=C3706AEEAB54BAF191B5246553448478957D093324D6B81701A46CBE794A03C7falsefalse - insufficient disk space 10341000x80000000000000001590448Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:46.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590447Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:46.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590446Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:46.358{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB225B28125B00E1220819881D6A35F6,SHA256=E9F4FA536B588565C1D36321D9C3E0C4A0F54808E8F723F1DA6E8DFEB3962E66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:46.240{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:46.240{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62D49F29F2D4C0D991B2001156687FF1,SHA256=B16B75D71DCE4942F53D998323D3C3A40B16949966DB44C4868915F795142858falsefalse - insufficient disk space 23542300x80000000000000001590445Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:46.094{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE5BA32BB4AB5FD62F5239B8DC515E0,SHA256=721D8180649C6AC3A681FFCDC2948610219C5F445C836A9B6113EC9FAF98E1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590444Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:46.093{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0C30A3F6A5B6CFAAF7A6980B8862D18,SHA256=0BE657DD480D4909862CB7DE1BFEC8DDFC3A63D2DD7D5A4D8D59BED4236E1B70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:47.875{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:47.875{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54B896522DFBA006E98937133724831,SHA256=C2BF8CF8747A57A0D3893909A58C9F6BEEB6A77BACD965ABAAC756CDD74F9270falsefalse - insufficient disk space 23542300x80000000000000002591832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:47.875{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E0610D6FC49E59AB781B114005BBADF1,SHA256=A6D93270F87FA25900411ED7EBA5C46B4630F7C700B6179D9EAEE69F93DFF044falsefalse - insufficient disk space 10341000x80000000000000001590452Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:47.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590451Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:47.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590450Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:40.527{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26334-false10.0.1.12-8000- 23542300x80000000000000001590449Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:47.372{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF31C6FC00CB89C09FAEAE27B4685C1E,SHA256=A52EB19B9C4C5C4329AA4A918C423EF47F31AC4EABCBA77EC11B7BF1333334A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:44.701{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52567-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000002591836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:48.878{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:48.878{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2710DAAE33E157B736912357C4B4182,SHA256=0A90D335EA81F50516301F73D13A8F3FD9FABA8481AE7D6A73933975BAE653A6falsefalse - insufficient disk space 10341000x80000000000000001590455Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:48.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590454Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:48.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590453Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:48.378{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCE987EA7EC34BE321E5ADA5EBB4A53,SHA256=2C88F7D1D3F1A89C67A1A207133F3B4DF3DE77CCA6D1B3AD19F34D28AB655E3E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:49.964{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:49.964{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85BC497240CD6132C026F3F17F78B43,SHA256=7715FD5A0D00D0A0BDFBF288C2418B59D73CB68B66DB03AD925EE964C697751Efalsefalse - insufficient disk space 10341000x80000000000000001590458Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:49.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590457Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:49.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590456Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:49.381{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB1EDD234966F6BA245C77A731CB00C,SHA256=FD3571B7405482594E1B0F3AD45FBCFCEA7119DEA594FC67087BC34516AD87A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:49.213{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:49.213{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D8B14CB182804DA91A9151DB26BD31,SHA256=E81BB2EEED87373ED37A9351A232F3AE05C3022D0C546ED37BC24CBDCBCADD4Afalsefalse - insufficient disk space 10341000x80000000000000001590469Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590468Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590467Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.387{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439A2BB2D5CEC84188BE03FDE03BD811,SHA256=58503DC44AD10E12C54ECF0A292B8CD78AB42EFDD3FAF31B412C60715D822875,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002591842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:00:50.365{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000002591841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:47.673{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52568-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001590466Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.214{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5F2-6081-8988-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590465Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.213{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590464Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.213{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590463Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.212{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590462Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.212{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590461Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.212{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-D5F2-6081-8988-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590460Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.212{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5F2-6081-8988-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590459Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:50.211{761B69BB-D5F2-6081-8988-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001590474Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:51.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590473Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:51.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590472Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:51.408{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=281C666265B980BAD62D2EA76FBB2A21,SHA256=2FBB40B5BEE64257558758D2ACAC995DE73D2941607928E5A93C0092AFE4C62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590471Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:51.407{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE5BA32BB4AB5FD62F5239B8DC515E0,SHA256=721D8180649C6AC3A681FFCDC2948610219C5F445C836A9B6113EC9FAF98E1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590470Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:51.396{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D30A2436DB32EB49D05BB5179FFE63,SHA256=E712D20AD0B7D39CEC5512D2EBE855C215321B92E0E60BE8054022D6D199E59C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:51.437{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:51.437{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B279BC45E5B40E7ACE544B6ADF82A47,SHA256=1C25968A337258CC41F12F564C5E77FD27544C059FD0383DF31910C112C29377falsefalse - insufficient disk space 11241100x80000000000000002591844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:51.036{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:51.036{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CB17FCC6E2082C60BB48EB5D9DC5E2,SHA256=043FA54881A313CB805995864A2BADB19EE551874224A8B77BA55593DA08B888falsefalse - insufficient disk space 10341000x80000000000000001590481Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:52.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590480Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:52.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590479Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:45.873{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26336-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001590478Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:45.667{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26335-false10.0.1.12-8000- 23542300x80000000000000001590477Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:52.464{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A7F2DF0B602EDB2681A467556168C918,SHA256=8C5D425A049B84E9E06988371392BABA05F513A5BFE9C4EA0D580EBB280EF107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590476Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:52.400{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB25EE699357601CBFA9FDCBA608386,SHA256=944F4E2434B7A6005D33DDEEA89020BD84E50ECE7553EB2EC31823AF9445E477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002591850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:52.486{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\datareporting\aborted-session-pingMD5=0EDDFDA55984FEB0B7564FA874D2F88A,SHA256=70DA9B8E698536E6A1E81FDB00153BD2E8889B9340382DA0424665DEB76AB860falsefalse - insufficient disk space 11241100x80000000000000002591849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:52.486{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\datareporting\aborted-session-ping.tmp2021-04-22 20:00:52.486 11241100x80000000000000002591848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:52.154{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:52.154{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E646C4CC162B9CF6CF29846F573485,SHA256=45AD8A46AA3FB14D72A4E25BEFB91DB8F7F1C5AFCEB005F2BE7C1DFA2A9EAA32falsefalse - insufficient disk space 23542300x80000000000000001590475Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:52.363{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590485Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:53.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590484Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:53.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590483Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:53.407{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22569CBAB67CE34A84B7AB3354C467DA,SHA256=0789F6DD717880B64B8414C2DBDBE4BDC0960C46DD0C99853EC740B0E775D0DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:53.188{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:53.188{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C119FD3421D09FB17D502222964E1D,SHA256=7866B0760081AE70AF6B0BBAE4CE74B912CEFCCBF3351051AFF14B256482873Cfalsefalse - insufficient disk space 23542300x80000000000000001590482Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:53.379{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=281C666265B980BAD62D2EA76FBB2A21,SHA256=2FBB40B5BEE64257558758D2ACAC995DE73D2941607928E5A93C0092AFE4C62D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:49.828{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52569-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002591857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:54.259{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:54.259{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B3603CA740AD0AAF695F9D65382440,SHA256=817D7350C1BEB50334A2A89AE7BDF97B91EAD4EC3B1B50615C922DC4900B290Ffalsefalse - insufficient disk space 10341000x80000000000000001590506Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590505Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590504Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.670{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5F6-6081-8B88-00000000BA01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590503Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.668{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590502Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.668{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590501Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.668{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590500Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.668{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590499Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.668{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-D5F6-6081-8B88-00000000BA01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590498Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.668{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5F6-6081-8B88-00000000BA01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590497Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.667{761B69BB-D5F6-6081-8B88-00000000BA01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001590496Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:47.794{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26337-false10.0.1.12-8089- 23542300x80000000000000001590495Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.416{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84896B90C403ECCEC18750BE0B592FD9,SHA256=53967049C0271AF202C8201475815F481EE4B5FBC527D3D2DC0AF71A93AD16C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590494Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.283{761B69BB-D5F6-6081-8A88-00000000BA01}24366496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590493Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.139{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5F6-6081-8A88-00000000BA01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590492Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.137{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590491Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.137{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590490Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.137{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590489Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.137{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590488Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.137{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D5F6-6081-8A88-00000000BA01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590487Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.136{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5F6-6081-8A88-00000000BA01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590486Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:54.135{761B69BB-D5F6-6081-8A88-00000000BA01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002591855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:54.243{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:54.243{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEA894DFA7CACCA0EB57460D44459DAF,SHA256=8987E39BAF843E1198BF61D89D5AD2E9E54383A8362144549F92CD35880AEABAfalsefalse - insufficient disk space 11241100x80000000000000002591860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:55.362{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:55.362{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050AB370B0537EC4AA534B1F5C90BC0A,SHA256=26F1D64ADB6C858246364D1509A52935F5AFD80B956FFBBFB4F48266672DA048falsefalse - insufficient disk space 10341000x80000000000000001590519Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590518Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590517Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.435{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C42B3176482747E8C80C6B832EFDA0,SHA256=E582C83F124767CF7B8382779329D6C6E15B81B9699318956D68284F1302D6F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:52.704{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52570-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001590516Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.321{761B69BB-D5F7-6081-8C88-00000000BA01}56446652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590515Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.187{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5F7-6081-8C88-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590514Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.185{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590513Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.185{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590512Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.185{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590511Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.185{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590510Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.185{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D5F7-6081-8C88-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590509Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.184{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5F7-6081-8C88-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590508Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.184{761B69BB-D5F7-6081-8C88-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001590507Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:55.139{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11572842067883A7E82C15280DC690D9,SHA256=C7D9AC03B652253025E52AEFDA413E905D77408FC2B354200F8A4344A5FB69BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:56.364{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:56.364{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC17263D94C240A2389C6BC3D06B8FA,SHA256=F60CB09FD88D93EA514841D74AF6D7B57398562D3284883C45C9D735C31BF460falsefalse - insufficient disk space 10341000x80000000000000001590523Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:56.979{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590522Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:56.979{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590521Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:56.441{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20DF34F9A5E38EA69C4C3D5A991D095,SHA256=64A6BA269C3CC5FAE526A9723082E0B0DFA0420589361558784F3797FD55D445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590520Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:56.189{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=154ED4F6C19650DE912090CBB8552997,SHA256=47F29F2E93B7AD8AC6B5640350D835684501716ED4DD121BE8BF6BE2F9CBBC43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:57.366{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:57.366{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C07172789627A5C1D218EF6F47BF130,SHA256=DEEBEE115B22C06DF8EC65482E9FE73CE1BBE70EBC38FD7BBB55FC3EEABAAF45falsefalse - insufficient disk space 10341000x80000000000000001590527Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:57.979{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590526Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:57.979{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590525Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:51.543{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26338-false10.0.1.12-8000- 23542300x80000000000000001590524Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:57.444{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2505165015458111D17443DDDF73C9,SHA256=F5D28B9C84B5A076D0D0DF79EF7F27A5645447FF6CA5A5A7A5AF9F948F36F183,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:58.469{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:58.469{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5E3F57402A34F6BC915B29ECF78E82,SHA256=24CEA38D7EBCE173597D53C8035275E29211D6D3996C5A92950226D24A8E5DE5falsefalse - insufficient disk space 10341000x80000000000000001590539Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.980{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590538Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.980{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590537Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.551{761B69BB-D5FA-6081-8D88-00000000BA01}35445308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590536Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.449{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DE3FE1BA2E25028C2095D9163AB789,SHA256=3C4E3386D5F3B4B6DD896389E8219FF6868C9CF6C49732E2E43D35FD29AD82C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590535Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.417{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5FA-6081-8D88-00000000BA01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590534Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.415{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590533Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.415{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590532Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.415{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590531Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.415{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590530Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.415{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-D5FA-6081-8D88-00000000BA01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590529Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.414{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5FA-6081-8D88-00000000BA01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590528Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:58.414{761B69BB-D5FA-6081-8D88-00000000BA01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 24542400x80000000000000002591872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:59.819{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe2user: WIN-HOST-5\Administrator hostname: mj0b0drgMD5=6489102BA2E56A3276CEC1BE276B76F3,SHA256=DB0B8561468AB6C40B068F07BFCF81942327392F879B19BD25D29A46FA6324B0true 10341000x80000000000000002591871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:59.819{21761711-83AD-607D-0C00-00000000BB01}7246680C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002591870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:59.819{21761711-83AD-607D-0C00-00000000BB01}7246680C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002591869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:59.819{21761711-83AE-607D-1D00-00000000BB01}19605400C:\Windows\sysmon64.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002591868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:59.471{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:59.471{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAC1B6CBB95DE5D56159E47B663B06F,SHA256=D4D5988E6B04C1CB8816EFA050225CC539437F8370FC5D4F2BF4A97C7EDEE637falsefalse - insufficient disk space 10341000x80000000000000001590560Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590559Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590558Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.901{761B69BB-D5FB-6081-8F88-00000000BA01}5152208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590557Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.757{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5FB-6081-8F88-00000000BA01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590556Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.755{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590555Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.755{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590554Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.755{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590553Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.755{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590552Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.754{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D5FB-6081-8F88-00000000BA01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590551Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.754{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5FB-6081-8F88-00000000BA01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590550Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.754{761B69BB-D5FB-6081-8F88-00000000BA01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001590549Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.455{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B00AB293A8918EE9EA76546B83128F,SHA256=1DF9485B5AD9EF70C90E9277A9EEC7E99905A96772DF326E2A185BBC9FF0941C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590548Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.419{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5721972409C4479DB089F78B5AEB6125,SHA256=0E5886555068EA26CFCE78ABA45400B63B0874B593CB1550DA947DB8EB99845B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590547Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.081{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D5FB-6081-8E88-00000000BA01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590546Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.079{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590545Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.079{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590544Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.079{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590543Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.079{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590542Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.078{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D5FB-6081-8E88-00000000BA01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590541Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.078{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D5FB-6081-8E88-00000000BA01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590540Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:59.078{761B69BB-D5FB-6081-8E88-00000000BA01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001590564Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:00.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590563Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:00.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590562Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:00.760{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96385B4B108EA8E380934A50843611DE,SHA256=F9A8F903C025F30C7372B919162B301F87CD829E120874CA10289E67A1003893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590561Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:00.463{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE6ED418AEEE4344B706A3F2D0F1422,SHA256=88103E79FB8973E0BC22C2DAD903488BE3117FF90C3B2E6E351C5D3616437B5D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:00.574{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:00.574{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0588FE4780155BB5367AFF0AF48B92B,SHA256=417F820DED5F3714FCBC5969476A0CD69A70F7471F059DF9E5B04B2F3BE5950Ffalsefalse - insufficient disk space 12241200x80000000000000002591877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:00.373{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002591876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:00.073{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:00.073{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F7DC79EF616D4DB34CA08D1F4416BE,SHA256=DFB062E19378FABF80B177BC254AA7ECFB8159E47CA4ECE44D3676E7A4E0ACADfalsefalse - insufficient disk space 11241100x80000000000000002591874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:00.073{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:00.073{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B12AC3C03221BEEABC81CA9E62113A80,SHA256=C915B218BC811EADEA16F433B1F40704F3D6B3D1958F27015B09EA3FE039AEFBfalsefalse - insufficient disk space 11241100x80000000000000002591884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:01.607{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:01.607{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51527661769B87136BBDA0BBBEB76497,SHA256=CE55EBB2B877FD303EC44B74ED10619EC195E0476F9E17494E8571EA5451CBEAfalsefalse - insufficient disk space 10341000x80000000000000001590567Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:01.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590566Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:01.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590565Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:01.470{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE454034D574592DB84227938DCD6CA,SHA256=E838B23B608798660C760C6D75471A1B96D58A5328412E77B0A7BCFC05703951,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:01.376{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:01.376{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F7DC79EF616D4DB34CA08D1F4416BE,SHA256=DFB062E19378FABF80B177BC254AA7ECFB8159E47CA4ECE44D3676E7A4E0ACADfalsefalse - insufficient disk space 354300x80000000000000002591880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:58.498{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52571-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:02.626{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:02.626{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F7DA2D7683978C0A0E7DADCD004ED3,SHA256=6B908FB350B7A23693A17E9A0040669EF7EDEC5E290CD829986BE202131BEE2Ffalsefalse - insufficient disk space 10341000x80000000000000001590572Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:02.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590571Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:02.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590570Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:00:56.685{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26339-false10.0.1.12-8000- 23542300x80000000000000001590569Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:02.477{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818A646C5168F65C06B5A41AA707C0F8,SHA256=159F10B8DCDB3E68109DE17A45CE594DCD159A20AED6FEAB76D1728B6C999A8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:00:59.836{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52572-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001590568Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:02.254{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60C770B7D13F99B70BC760306CC8D1F4,SHA256=E5634E72D374BC25F6268B210F3B65ED7E1F9048D6E43E2A4F751BBA264F1603,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:03.746{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:03.745{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AFD2A1DAEEF768CDD44F2151C10473,SHA256=28B61E263D0D5451EBB862CFA07DA712CAAFA837C635F416426E25FA24B109C1falsefalse - insufficient disk space 10341000x80000000000000001590585Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:03.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590584Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:03.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590583Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:03.483{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1629775051B96988C9E8362E77E402D,SHA256=80505F41324B72CA4CAEBAD2A1AFCC51B1A7824DC24EAB255EC4BCAD70913AA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001590582Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001590581Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x10e9e30c) 13241300x80000000000000001590580Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d737a9-0xd6eb18cb) 13241300x80000000000000001590579Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d737b2-0x38af80cb) 13241300x80000000000000001590578Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d737ba-0x9a73e8cb) 13241300x80000000000000001590577Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001590576Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x10e9e30c) 13241300x80000000000000001590575Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d737a9-0xd6eb18cb) 13241300x80000000000000001590574Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d737b2-0x38af80cb) 13241300x80000000000000001590573Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 20:01:03.331{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d737ba-0x9a73e8cb) 11241100x80000000000000002591891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:04.849{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:04.849{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E500C02FD9D005FEDC050D6AF1440EBF,SHA256=468839DD29B2499634520E6AA2E80C4C0874F54254F1203F9BFFB7B10BD6DBD5falsefalse - insufficient disk space 10341000x80000000000000001590588Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:04.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590587Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:04.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590586Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:04.489{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4667F1F77ECE4926EFBAC3C9A6DC50BD,SHA256=4DACFDE60E84B33AC7EEE2A9F7F474AC935B32236AFD6FA370A18B5EAA175472,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:05.886{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:05.886{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5CD8195B12FB721E15B93EF13C7C58,SHA256=A3F4224550E16C90D69CBE0A311B85BBB209C6FE0E869E4DC1B8259D21CD4D2Bfalsefalse - insufficient disk space 10341000x80000000000000001590591Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:05.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590590Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:05.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590589Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:05.494{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E75C24D2C2340812394B69171A8762,SHA256=AEA55295162A7F11D26AE147D4D87F98F588227FD71AEF97D56196612E598D27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:05.254{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002591892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:05.254{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2A41020482A1207B5D99EEDE6F4CD9A,SHA256=B8AA772DF72F973F0418224F9F5A07780512799DAC748D44B5E55379F6B4AAC0falsefalse - insufficient disk space 11241100x80000000000000002591898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:06.888{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:06.888{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8B967203B61C6F8D6BFC6CBD5162AF,SHA256=670B3E45C97E69869631EEB66D3550ACA412CAD48051B0A8429E5D99778983F8falsefalse - insufficient disk space 10341000x80000000000000001590594Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:06.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590593Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:06.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590592Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:06.499{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723A802CAF07C9EB8DC218E709316C55,SHA256=4F00124FE6ED14A9034F37D8CB28621A1BEBB3620563052B3C50124EC9DD9B0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002591896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:03.711{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52573-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002591900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:07.922{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:07.922{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0048548991EBA2914686658BB300362A,SHA256=95100A6E2132A2B39A4A3ACE8C831E454EF5308E7636E188F9B56135B4C57884falsefalse - insufficient disk space 10341000x80000000000000001590597Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:07.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590596Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:07.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590595Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:07.504{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C34EB3DC20458B3D3C651E17D43164F,SHA256=E577F01C98059222AC805AFF91F878D740EC1785D9284E9F75BF488A38612479,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002591902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:08.925{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:08.925{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B497882F8D0E239B2E20DC8A264D2ADF,SHA256=7848E423E457A78E89D854B5F9FBA41AE46C1D0E29ADB252407B1C6D7347B303falsefalse - insufficient disk space 10341000x80000000000000001590602Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:08.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590601Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:08.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590600Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:08.694{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A46FE661435B18D01C8CD7C24F8274,SHA256=E775097C0D3F74B37FD4EB446FC098BA2396E4AC95A7FA02A2150E41D926CD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590599Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:08.137{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F2F3D00C6072847A842FE6F2C5036B0,SHA256=4593DC2F239EFA813A659C95C8D13D0F41BE2DDD17ED816AB135CEC9D50AE75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590598Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:08.136{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E349D221FB698F894577B47D8854F378,SHA256=C71BAF7175C56819366F34A84BDA420CB8B77A3875473204F43FCD52D1F73A38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590606Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:09.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590605Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:09.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590604Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:09.699{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D690508946D010B9D542005E5F4E934F,SHA256=F901B6922DBD1ED900E0CCFD7B84FC29D24E8F48AFBA3B180A0D0B6874B8682E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590603Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:02.569{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26340-false10.0.1.12-8000- 10341000x80000000000000001590611Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:10.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590610Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:10.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590609Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:10.708{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFEEFC101CDE9AEA76EB2A865111EE4,SHA256=0FDC9D7C20FC8945B73C9C1CC3A342C855B540A41C2AC590E0968F2724D3D8B4,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002591976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.694{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exe 534500x80000000000000002591975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.694{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exe 734700x80000000000000002591974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.694{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.dll19.007z Plugin7-ZipIgor Pavlov7z.dllMD5=E7AE42EA24CFF97BDEAD0C560EF2ADD1,SHA256=DB2897EEEA65401EE1BD8FEEEBD0DBAE8867A27FF4575F12B0B8A613444A5EF7false-Unavailable 734700x80000000000000002591973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000002591972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000002591971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000002591970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000002591969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000002591968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000002591967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000002591966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000002591965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000002591964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000002591963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000002591962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000002591961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000002591960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000002591959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000002591958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000002591957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.678{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x80000000000000002591956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.662{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000002591955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.647{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000002591954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.647{21761711-83AE-607D-1600-00000000BB01}11085396C:\Windows\system32\svchost.exe{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002591953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.647{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.647{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002591951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.642{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000002591950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.641{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002591949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.641{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000002591948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.638{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002591947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.638{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000002591946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.635{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000002591945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.581{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000002591944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.578{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000002591943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}77245364C:\Windows\system32\conhost.exe{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002591941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000002591939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002591938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002591937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000002591936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002591935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002591934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002591933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002591932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002591931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002591930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002591928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000002591927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.397{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000002591926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000002591925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000002591921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.394{21761711-D606-6081-338A-00000000BB01}7724C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.exe a -v500m -mx9 -r0 .\file1.zip 734700x80000000000000002591920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000002591919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002591918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000002591917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002591916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002591914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000002591912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000002591911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000002591910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exeMD5=AFC08CE359E79887E45B8460E124D63E,SHA256=A20D93E7DC3711E8B8A8F63BD148DDC70DE8C952DE882C5495AC121BFEDB749Ffalse-Unavailable 10341000x80000000000000002591908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.381{21761711-D5A2-6081-2A8A-00000000BB01}69567212C:\Windows\syswow64\rundll32.exe{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+159f9b(wow64)|C:\Windows\System32\KERNELBASE.dll+159c4c(wow64)|UNKNOWN(0000000002D938CE)|UNKNOWN(0000000002D973FE)|UNKNOWN(0000000002D97521)|UNKNOWN(0000000002D9767B)|UNKNOWN(0000000002D92780)|UNKNOWN(0000000002D97EDB)|UNKNOWN(0000000002D91506)|UNKNOWN(0000000002D9880C)|UNKNOWN(0000000002DA5C9E)|UNKNOWN(0000000002DA5D46) 154100x80000000000000002591906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.387{21761711-D606-6081-328A-00000000BB01}7328C:\Users\Administrator\Documents\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exeC:\Users\Administrator\Documents\7z.exe a -v500m -mx9 -r0 .\file1.zipC:\Users\Administrator\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=AFC08CE359E79887E45B8460E124D63E,SHA256=A20D93E7DC3711E8B8A8F63BD148DDC70DE8C952DE882C5495AC121BFEDB749F{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\syswow64\rundll32.exe 12241200x80000000000000002591905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:10.381{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002591904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.012{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002591903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:10.012{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7D1843EFD432ECDC3EB4F190ED7626,SHA256=FC5B64CABA1CA853BD3A5056A5A60659861FC47CC118F9CB282122DC00100418falsefalse - insufficient disk space 354300x80000000000000001590608Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:04.537{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26341-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001590607Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:10.111{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F2F3D00C6072847A842FE6F2C5036B0,SHA256=4593DC2F239EFA813A659C95C8D13D0F41BE2DDD17ED816AB135CEC9D50AE75B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590614Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:11.990{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590613Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:11.990{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590612Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:11.715{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CC45BE97DFD10A3ADA281EF17CEB46,SHA256=7A328451BB2AF49FC9EBA4594DE94A5E841ED8893EBAFD219EAD2B872DB22E84,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002592052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000002592051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000002592050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000002592049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000002592048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000002592047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000002592046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000002592045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000002592044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000002592043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000002592042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000002592041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000002592040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000002592039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:11.743{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000002592038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.411{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.411{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDA61FFCB6D257F0F26568D49D50059,SHA256=D0AE364EE50448AA3856B0AAB08748ECC11727669AB5370245C8B1D5642C58E3falsefalse - insufficient disk space 11241100x80000000000000002592036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.411{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.411{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E9EA618C30A4CC6B9911A09A9C3655,SHA256=77DA644472DF9DABFCB2068567D53731D71F7788EA6A4098DDCA24C5C732214Cfalsefalse - insufficient disk space 11241100x80000000000000002592034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.411{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.411{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59EAF4EF2FB7F88754755177B1BB9089,SHA256=A83D20AF0A05C64F04C9FD8A752921281F3C5D8842F1CC3907443107ECB68B05falsefalse - insufficient disk space 534500x80000000000000002592032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.279{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002592031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.279{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002592030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.279{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002592029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.279{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002592028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002592027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002592026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002592025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002592024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002592023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002592022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002592021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002592020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002592019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002592018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002592017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002592016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002592015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.148{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002592014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.147{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002592013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.147{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002592012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.147{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002592011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.147{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002592010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.147{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002592009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.146{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002592008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.146{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002592007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.146{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002592006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.146{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002592005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.146{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002592004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.146{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002592003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.146{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002592002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.146{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002592001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002592000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002591999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002591998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002591997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002591996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002591995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002591994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002591993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002591992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.145{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002591991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.144{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002591990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.144{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002591989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.143{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002591988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.143{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002591987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.142{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002591986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.142{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002591985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.141{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002591984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.141{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002591983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:11.126{21761711-D607-6081-348A-00000000BB01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002591982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:11.126{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:11.126{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:11.126{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:11.126{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002591978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:11.126{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002591977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:11.126{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001590617Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:12.991{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590616Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:12.991{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590615Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:12.719{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCCB074B800C6197E4C2C706A7AC1F2,SHA256=CDC771B8CDB0A553BC01D53F8535CA75642FF719AF64CF5B2D0F29C63FDE1685,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:12.514{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:12.514{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46134D9CA3207CEDA36C44B6F3C9CBB,SHA256=6D661C64136503DFF53F8A2FB8BCD9A6878FED9D67DEE2C61696CEDADFF6BDEEfalsefalse - insufficient disk space 354300x80000000000000002592055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:09.521{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52574-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002592054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:12.182{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:12.182{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E9EA618C30A4CC6B9911A09A9C3655,SHA256=77DA644472DF9DABFCB2068567D53731D71F7788EA6A4098DDCA24C5C732214Cfalsefalse - insufficient disk space 10341000x80000000000000001590620Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:13.992{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590619Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:13.992{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590618Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:13.733{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7BA7ADFA051294C9935031623AB873,SHA256=37DEAACB7875C445DC4D8D4F5A7780B28FE26DDBA4C8BCBA6FA9A9A677F1ACB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:09.844{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52575-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002592059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:13.500{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:13.500{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF746F49A27B92C31F63E30736E90081,SHA256=72B7450FE42E908FDEC3774D31B1A81EDEC0855634A64F2F1603CE6287EEB68Cfalsefalse - insufficient disk space 10341000x80000000000000001590625Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:14.993{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590624Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:14.993{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590623Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:14.736{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0482C78EFBCFEF7C673A572BCF6407D6,SHA256=03F78954D8D7F7E131C58341B552182DBEF0127054CE36C5EFC6777EDB8B77CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:14.518{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:14.518{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF217A32A3CE3D408C2323FB4E21891,SHA256=0ABB53472D260BFCF8F366730935DF9CEACCF43D2BB57D428D67B9ECA9D41C60falsefalse - insufficient disk space 354300x80000000000000001590622Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:08.450{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26342-false10.0.1.12-8000- 23542300x80000000000000001590621Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:14.018{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2690AFB192A6C86D79DFD7DC68250D8E,SHA256=55CF46D4F18F3BD41289A818B9FE81321B95884EC196DF0F09057B4E912D6330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590628Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:15.993{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590627Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:15.993{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590626Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:15.741{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AD06DB8C11898F899DD133820AAA73,SHA256=6EE858F2CBD8C040F4CE401EF415927786693FDE9F3B7357AA7E33A3E55030F0,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002592124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.875{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002592123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.875{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002592122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.875{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002592121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.875{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002592120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.754{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002592119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.753{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002592118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.753{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002592117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:15.753{21761711-D60B-6081-358A-00000000BB01}6284\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002592116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.752{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002592115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002592114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002592113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002592112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002592111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002592110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002592109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002592108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002592107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002592106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002592105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002592104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002592103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002592102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002592101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002592100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002592099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002592098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002592097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002592096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002592095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002592094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002592093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002592092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002592091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002592090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002592089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002592088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002592087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002592086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002592085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002592084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002592083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002592082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002592081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002592080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002592079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002592078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002592076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002592074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002592073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002592072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.737{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002592071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.722{21761711-D60B-6081-358A-00000000BB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002592070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:15.721{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:15.721{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:15.721{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:15.721{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:15.721{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:15.721{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002592064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.536{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:15.536{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B2337D0672876F8EFCB2375703D65D,SHA256=5AA5E1D3944E6A40D730E6F217DAD2A1E3CFFC45A96FA787D0D84CB44D83D46Ffalsefalse - insufficient disk space 10341000x80000000000000001590631Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:16.994{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590630Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:16.994{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590629Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:16.761{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104C3DE418D93D4FF592EB77278E2CA5,SHA256=D3DB14FD52D59A209BAE3620BFD3E5796E45E45F27E485517F348ABE72AC5AC2,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002592238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.955{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002592237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002592236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002592235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002592234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002592233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002592232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002592231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002592230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002592229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002592228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002592227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002592226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002592225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002592224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002592223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002592222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002592221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002592220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002592219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002592218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002592217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002592216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002592215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002592214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002592213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002592212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002592211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002592210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002592209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002592208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002592207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002592206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002592205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002592204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002592203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002592202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002592201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002592200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002592198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002592196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002592195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002592194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.940{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002592193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.925{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002592192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.924{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:16.924{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.924{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:16.924{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.924{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:16.924{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002592186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.576{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.576{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032B332B6583271C490B9A55B6E551C8,SHA256=00E638CAD4239DDFCAD4626D0F7B42D99438CCFDAADEE722A1C6BA601F051445falsefalse - insufficient disk space 534500x80000000000000002592184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.561{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002592183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.561{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002592182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.561{21761711-D60C-6081-368A-00000000BB01}69323844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.561{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002592180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.561{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002592179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.557{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.556{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EE9C57F5649C37A0E21FCD940D7310,SHA256=F2C05F7A7AB1B9F0998228C17AA78762D56FDDEC8D5C71C79E985FAF00F91153falsefalse - insufficient disk space 734700x80000000000000002592177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.438{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002592176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002592175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002592174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002592173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002592172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002592171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002592170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002592169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002592168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002592167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002592166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002592165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002592164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002592163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002592162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002592161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002592160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002592159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002592158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002592157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002592156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002592155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002592154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002592153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002592152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002592151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002592150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002592149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002592148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002592147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002592146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002592145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002592144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002592143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002592142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002592141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002592140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002592138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002592136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002592135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002592134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.423{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002592133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.408{21761711-D60C-6081-368A-00000000BB01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002592132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.407{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:16.407{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.407{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:16.407{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:16.407{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:16.407{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002592126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.106{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:16.106{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02A566253698BBC54E42888AE774D917,SHA256=C19F24457A09877391FCA921E2C554A7457004862AF56B4B8D1C4F36A3535C88falsefalse - insufficient disk space 10341000x80000000000000001590634Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:17.995{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590633Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:17.995{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590632Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:17.781{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FD1A3B07569F73E60CB0DF1F34F6DF,SHA256=68CFB5875902A9BB6CE32436252A5D5787339CF53B09FEED2A4230FA4C02BF1D,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002592304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.763{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002592303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.763{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002592302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.763{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002592301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.763{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002592300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.659{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.659{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BB76D226B43A36EE83E96DA9043CDD,SHA256=F70420325EF198FB91D4444D4C5168D4735061AE337B363E1408EE1AFB254ECBfalsefalse - insufficient disk space 734700x80000000000000002592298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.641{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002592297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002592296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002592295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002592294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002592293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002592292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002592291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002592290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002592289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002592288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002592287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002592286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002592285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002592284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002592283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002592282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002592281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002592280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002592279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002592278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002592277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002592276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002592275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002592274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002592273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002592272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002592271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002592270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002592269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002592268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002592267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002592266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002592265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002592264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002592263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002592262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002592261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002592260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002592258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002592256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002592255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002592254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.626{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002592253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.611{21761711-D60D-6081-388A-00000000BB01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002592252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:17.610{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:17.610{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:17.610{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:17.610{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:17.610{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:17.610{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000002592246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:14.567{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52576-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002592245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.425{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.425{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8615A7C6310B1D8FFB0F5E02C3A4DE7,SHA256=B67FA35049CC7812BE39BC6A4BDC14D840B9239DAA56735E9878950D1CC8C8FAfalsefalse - insufficient disk space 534500x80000000000000002592243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.077{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002592242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.077{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002592241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.077{21761711-D60C-6081-378A-00000000BB01}70724648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.077{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002592239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:17.077{21761711-D60C-6081-378A-00000000BB01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001590637Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:18.996{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590636Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:18.996{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590635Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:18.789{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C5D207D68E5EEE48069E57D4F19546,SHA256=BA323BFEF214967E79ABD8F76DBC711DA78B83873C1ADE6A741232E789C5D0A0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002592418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002592417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002592416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002592415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002592414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002592413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002592412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002592411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002592410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002592409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002592408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002592407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002592406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002592405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002592404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002592403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002592402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002592401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002592400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002592399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002592398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002592397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002592396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002592395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002592394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002592393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002592392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002592391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002592390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002592389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002592388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002592387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002592386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002592385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002592384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002592383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002592382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002592381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002592380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.982{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.966{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002592378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.966{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.966{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002592376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.966{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002592375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.966{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002592374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.966{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002592373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.964{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002592372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:18.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:18.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:18.964{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002592366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.781{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.781{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E484A88D51DFA817A5E65D74E17AF77A,SHA256=8D021C2A05DCBCD2365763EFA9DC19560F0BD621B47181D6323384C2AE175C26falsefalse - insufficient disk space 11241100x80000000000000002592364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.762{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.762{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E6C7D563CA89870BC37F63B7AC2D26,SHA256=F388245AF12CACFAAD03DDF14126507634416210216838C2999C971AA358411Afalsefalse - insufficient disk space 11241100x80000000000000002592362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.760{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.760{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECC7788E1A7C05EEFB32909054AF8559,SHA256=4D768B9D6D7B9B986F949AC5BD8DE03ED6A5634D895FEAC1A777597CD861D573falsefalse - insufficient disk space 534500x80000000000000002592360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.427{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002592359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.427{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002592358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.427{21761711-D60E-6081-398A-00000000BB01}18882188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.427{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002592356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.427{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002592355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.312{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002592354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.312{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002592353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.312{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002592352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002592351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002592350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002592349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002592348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002592347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002592346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002592345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002592344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002592343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002592342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002592341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002592340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002592339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002592338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002592337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002592336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002592335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002592334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002592333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002592332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002592331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002592330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002592329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002592328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002592327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002592326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002592325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002592324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002592323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002592322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002592321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002592320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002592319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002592318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002592316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002592314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002592313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002592312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.296{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002592311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:18.281{21761711-D60E-6081-398A-00000000BB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002592310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.280{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:18.280{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.280{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:18.280{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002592306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 20:01:18.280{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002592305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 20:01:18.280{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001590643Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:19.996{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590642Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:19.996{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590641Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:19.800{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A5F249A8247F708421D6E123E10C5B,SHA256=392C8154ABDEF3A5F9B60F0436E28C3A34DE4BCA100AA981B125E07235444476,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.884{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.884{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BF229761C74D15BDED9BE0E1DC75D5,SHA256=B03E2DB2F7AC19CD40FC6E8CD33CD8C55D5F27EB864F0814B323C5151F495C9Bfalsefalse - insufficient disk space 11241100x80000000000000002592471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.864{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.864{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472BCFED7CCF470EBBD28E525E6D6135,SHA256=553C8DF22A198EA171F6E2884AACE8FC6DCA361AD6533FC89F7BAF81FAEA8047falsefalse - insufficient disk space 354300x80000000000000001590640Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:13.589{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26343-false10.0.1.12-8000- 23542300x80000000000000001590639Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:19.181{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE02531A130D84733D0589DB08DE32C2,SHA256=85487E5AC00382993E974A95F2402AA11DE8C6280A1B0CB2C7BF299F08374F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590638Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:19.180{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03816E16713608C91DCFA6C7E8112264,SHA256=735BAF38E6844DB91181FC84BC5E987862E06E66411E3F2F69061EFF2B2DEAEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002592469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.345{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002592422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.113{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002592421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.113{21761711-D60E-6081-3A8A-00000000BB01}9163512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.113{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002592419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.113{21761711-D60E-6081-3A8A-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002592478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:20.949{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:20.949{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD0DB2DEBFCA4E35575C7C560D9CE5D,SHA256=882B33C5A8C95DF1E92B247687845C1913118A2AD16C5F1F01BBF063F4284952falsefalse - insufficient disk space 10341000x80000000000000001590646Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:20.997{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590645Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:20.997{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590644Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:20.804{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C087EDD63F9A76BFBE904B27915A426,SHA256=E37DD2E81E3BB203EF0F796EE16B271D7A7B62B99F122673E624FAA987606FDA,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002592476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:20.401{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002592475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:20.000{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:20.000{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DBD0A1BDD4B5B610C7F49943EBC22CA,SHA256=7C658E80F3788F69BEC28528E428466539C37A56940D35AD2153DD6D4C3EAE05falsefalse - insufficient disk space 11241100x80000000000000002592483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:21.951{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:21.951{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F35D19C60369284ED07974CBE5C8922,SHA256=003FF0D646BFE26F03067080645C5D3DD567A48AEE82D041079153F14460D01Cfalsefalse - insufficient disk space 10341000x80000000000000001590649Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:21.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590648Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:21.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590647Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:21.807{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F608521DBFCF64DE1F69E3FAE315F88,SHA256=C8EAC3C34E27DD6314FA5A27FF752E5922D74ABACE51D9163C16F4BAC099D13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.578{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52577-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002592480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:21.167{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:21.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64C01903592312D51FFE775D05AEDD54,SHA256=01C2CC2C21E0F04393FD2CDCB527F39376E8A4E5750AC01F785DCDA305632841falsefalse - insufficient disk space 10341000x80000000000000001590652Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:22.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590651Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:22.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590650Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:22.810{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC1801837ABF5588BFB735FAA8DEBDB,SHA256=511B47B1A52F44497187102A112E76A3595F2FBFCD8FB699390F4A3F4B9CFFBA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:22.954{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:22.954{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10058FE6EDDB68A6DDA985B0B102756,SHA256=DE4CEAB44FAB22F2058387E00AD16A192585CD4EAEBEA0F4A4595B4FA0DA624Dfalsefalse - insufficient disk space 354300x80000000000000002592484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:19.864{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52578-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002592488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:23.956{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:23.956{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DBD9D791BE0A9AD6F9DF7B9E7FCFC5,SHA256=2EE51B3762C525B6D14744C7108BFE59A356545BD60507DB42C286CAFBFD63CEfalsefalse - insufficient disk space 10341000x80000000000000001590655Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:23.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590654Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:23.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590653Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:23.817{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8260D16F892C4C3E6A26DDB5EA6578E1,SHA256=E16D1B9FE3320DBDAD868054787745F4E146273A679438F01FED585B90BC0B65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:24.976{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:24.976{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8A3061E2913CCC3624926C98F62FB4,SHA256=1C0A164A1CF029345CC8D4071662F9E86F0E0B294A07630B3E1D0417FE3DFE85falsefalse - insufficient disk space 23542300x80000000000000001590658Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:24.822{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096DC8B2CBA15568BC631B1C1180156B,SHA256=C166AA378446F6844D53A92D9B9559A1ECB1DD553BAEFAB5168E6DD27BEA73AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590657Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:24.715{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04665BCD8D0444FBFCA83B24A6A72E67,SHA256=FC6D1C937F472A4E3A485F5DA980274E20453944B423291F554FE6C5D24F1CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590656Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:24.714{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE02531A130D84733D0589DB08DE32C2,SHA256=85487E5AC00382993E974A95F2402AA11DE8C6280A1B0CB2C7BF299F08374F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590663Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:25.832{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BC31783C3EC1673F8586B12639B582,SHA256=9913CB205347ED77BBF79C2330B3A87EA7A3B2AD61DEE2C3815F64FAD8E4B169,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:25.344{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000002592491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:25.344{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=261E6568CED1A218355A4E8FD5809EDD,SHA256=14D586797D49794854A875EB9F09ED4B5E417981944C16C220514607D283B604falsefalse - insufficient disk space 354300x80000000000000001590662Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:19.477{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26345-false10.0.1.12-8000- 354300x80000000000000001590661Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:19.143{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26344-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001590660Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:25.000{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590659Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:25.000{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590699Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.858{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F198334EA1E0A5DF9D3A33396C9B3107,SHA256=9D0DB0A3C23E39C50702E350E225BA274D00DE26C51A780C189A518393A10C36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002592495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:26.161{21761711-83AE-607D-0D00-00000000BB01}7926408C:\Windows\system32\svchost.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:26.079{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:26.078{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB852318E3F2B6FAC61FC923B0594DD1,SHA256=5E4310E494192EF0F7A765A9530F3485EF3AE245B6571C5594A632A809271EF9falsefalse - insufficient disk space 10341000x80000000000000001590698Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.185{761B69BB-818C-607D-0D00-00000000BA01}9045632C:\Windows\system32\svchost.exe{761B69BB-84D2-607D-F802-00000000BA01}1484C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590697Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.185{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590696Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.185{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590695Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590694Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590693Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590692Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590691Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590690Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590689Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590688Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590687Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590686Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590685Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590684Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590683Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590682Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590681Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.184{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590680Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590679Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590678Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590677Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590676Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590675Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590674Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590673Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590672Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590671Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590670Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590669Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590668Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590667Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590666Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.183{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590665Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.000{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590664Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.000{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590702Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:27.866{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8FC4D49127E31454A5E0B50F4A2B9E,SHA256=21270778D3DAB079624266DCADB7E6F93ECE18DC81235ACD329726EF61BA156E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:25.592{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52579-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002592501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:27.201{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:27.201{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DFFB67DA8EBE89B7DCE418F60972C4,SHA256=E2C40B88331D3F072F7D46D33CD1EE85E005940B12824197481C05B96347E8C0falsefalse - insufficient disk space 10341000x80000000000000001590701Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:27.001{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590700Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:27.001{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:27.148{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:27.148{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3CCC7BC25A0CF0C0D30CB1EDD89D35A,SHA256=57091A68A947538BC339C5B9F7B66ABA04204A850050823E18965A1495312546falsefalse - insufficient disk space 11241100x80000000000000002592497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:27.148{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:27.148{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37A48B40620247C7F1C0E6BD9313CC7C,SHA256=D4E5404E93AFAF02DAF3C5AA7F4A3A1BCD8660B426DA072506ED1A38FE086E24falsefalse - insufficient disk space 23542300x80000000000000001590705Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:28.869{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19C29DC0CD75487674603FE2DA21B96,SHA256=AF5449A2F305BF2C011F5DBB1117D23C1390062460CC39ECE5D3D0CA737D7FEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:28.288{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:28.288{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1F7D5050CF78219E5FF5FC9E0ED1F2,SHA256=FAECF7B2FD52580342F4499F5101DC109562A5E06C6DD0A8C77DA2F72C509E07falsefalse - insufficient disk space 10341000x80000000000000001590704Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:28.002{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590703Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:28.002{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590708Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:29.874{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2837A9061E8C8D07BDA671CC5C68692,SHA256=3B82809935EBF9B9D97B0AD5C2A433D261E3FFCCC67AE9DA7161F181CE55DD81,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:29.507{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:29.507{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9725C73D122A8D3CE534C1FAADDEE16,SHA256=BFDCDE42B439F6EC37C94AB87C7FDBE9054637D6FC511685D7CC5E13CAE8A0EAfalsefalse - insufficient disk space 10341000x80000000000000001590707Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:29.003{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590706Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:29.003{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590714Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:30.881{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E6CD5198EED493ECB3864F80EDA254,SHA256=54E511F0D4CF6B8B6A196F1F027C0CA2CB75AC6236DB5CDDE1CB0D685BCFB7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:30.540{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:30.540{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2338E6F8087910CC1EA057C4097CA76B,SHA256=F9D8DEB21DCD2C0C6C3B3632C8B0455277CF91C3AA8CB6B9529F55D654941681falsefalse - insufficient disk space 354300x80000000000000001590713Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:24.619{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26346-false10.0.1.12-8000- 23542300x80000000000000001590712Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:30.398{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E256C74518F4F13D26E71BFA781F8201,SHA256=CF858734085D14FE2DC588E89A1AF50DD451A533A29698455BF892E3D46D70EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590711Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:30.397{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04665BCD8D0444FBFCA83B24A6A72E67,SHA256=FC6D1C937F472A4E3A485F5DA980274E20453944B423291F554FE6C5D24F1CE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590710Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:30.004{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590709Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:30.004{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002592508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:30.409{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002592507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:30.271{21761711-D563-6081-218A-00000000BB01}8012c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000001590718Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:31.895{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A15FA41EB885C0E005A520ADFDAE759,SHA256=04F4483BF08A44F8A63279191991FD0F30FB114A40B51463FE39BC36C8684AD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:29.734{21761711-D563-6081-218A-00000000BB01}8012C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52580-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002592514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:31.543{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:31.543{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA604E3595EE9802F6ED9A4EDA8AA669,SHA256=9574901C191B8BA31EDE6E00902EF14AEBA2D28C7D58AE7C490F0CFD78E3598Bfalsefalse - insufficient disk space 23542300x80000000000000001590717Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:31.650{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E256C74518F4F13D26E71BFA781F8201,SHA256=CF858734085D14FE2DC588E89A1AF50DD451A533A29698455BF892E3D46D70EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590716Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:31.004{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590715Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:31.004{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:31.273{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:31.273{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3CCC7BC25A0CF0C0D30CB1EDD89D35A,SHA256=57091A68A947538BC339C5B9F7B66ABA04204A850050823E18965A1495312546falsefalse - insufficient disk space 23542300x80000000000000001590726Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:32.904{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5652209CF623C0C9E509658B9039448E,SHA256=F7978C0FE27E2E37E140826925AB48CC916276EE7EF6560901969EF1E9CF86C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:30.605{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52582-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002592518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:29.872{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52581-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002592517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:32.545{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:32.545{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0AE8C439E64B8B289EA183002040D3,SHA256=B418CBC2EED6D46027B260C247E5C1BCFF583103EAF28A117979AAB7FFD11F77falsefalse - insufficient disk space 354300x80000000000000001590725Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.076{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local26347-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001590724Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:26.076{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local26347-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 10341000x80000000000000001590723Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:32.309{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001590722Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:32.309{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590721Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:32.308{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10ea5445.TMPMD5=FD9CA3B752C969255F9013E45601E2FF,SHA256=6B542E6C346BCD00B0E9E5182F5689C44912608F9BE79EE9E779CD8B01144944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590720Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:32.005{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590719Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:32.005{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:33.547{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:33.547{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD315064477A2C3786EACC125714687,SHA256=EFF2A061E11287E7AEC980F242238BC4F71554A66C2160FC79B8B0E2C3876F08falsefalse - insufficient disk space 23542300x80000000000000001590729Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:33.908{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA9BD66FD70BF640A67738C4CF79746,SHA256=49DE10DE3304F9741F53E4D88EA312AE0E7D1318533FA91833A9582CEA3DE168,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590728Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:33.006{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590727Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:33.006{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:34.566{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:34.566{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD48D536C93E63B4FDC6869B0152BB8,SHA256=4789D0E6B9EDF39BBCE3768B830320354909231F13EAAB888FD012D08040A438falsefalse - insufficient disk space 23542300x80000000000000001590732Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:34.911{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE38772337C6B2B58BD5663BDE00ECA,SHA256=CC0DC2C7251D569CA56182A744065B289387A42B6FE787983AB27DF4E5809C90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590731Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:34.007{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590730Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:34.007{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:35.684{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:35.684{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11E98DD31BBBD18815B279F17EA8958,SHA256=1E9E40C780A71FE7B88369260351C82CEF7A92E45C8715FB471280D442A2E610falsefalse - insufficient disk space 23542300x80000000000000001590735Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:35.914{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21699378689697556DBC418B490AE4ED,SHA256=D199A96BC7E71EA329E60EEC2DA6F758D0F9539CFDE0F976F49140E5D99C28AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590734Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:35.008{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590733Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:35.008{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:36.786{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:36.786{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF02EC18646E87024FD47BD6E9BB4F5,SHA256=37A105CA4A807D81CBACE4853B664055C930BA98978AD8B6AC5AE524E3B74D38falsefalse - insufficient disk space 23542300x80000000000000001590740Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:36.918{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6D2B996220A2F3D6E14F647D28A4E1,SHA256=F973C241C02C978ABAFBC704D45AC993C37A0A2D6911B2627783C4BA27C6BF11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590739Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:30.502{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26348-false10.0.1.12-8000- 23542300x80000000000000001590738Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:36.070{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=094783142B337983D79E34F900A31B04,SHA256=FB8CF941BAAD5C0567686D8B73C387691BD7B27BB1FDC86012435D0750C7A2E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590737Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:36.008{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590736Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:36.008{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590743Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:37.929{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADEDA5DF32DCEA195AA8286EEF4650A,SHA256=FC546965AEBC4A0BFA5293F146081F2A7C4DAB6C04D0DD2DE7C6B66849FE608A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590742Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:37.009{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590741Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:37.009{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590746Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:38.933{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46379344808BB7B3E644E915386EE29,SHA256=1A44F14766DD1D983DE6F9AB18DEF52D77076B1C1ED636CCAC52C4B52350BC69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:36.619{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52583-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 24542400x80000000000000002592538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.544{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe2user: WIN-HOST-5\Administrator hostname: mj0b0drgMD5=CD36B1918F702181B7FC0477069F4B1D,SHA256=4A4D3BC7FC223EB2A5FC1F6B9AF7C497B4EE1F1F3F0FBEF63EB14E8796B25AE7true 10341000x80000000000000002592537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.544{21761711-83AD-607D-0C00-00000000BB01}7246680C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.544{21761711-83AD-607D-0C00-00000000BB01}7246680C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.544{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeC:\Sysmon\CLIP-CD36B1918F702181B7FC0477069F4B1D4A4D3BC7FC223EB2A5FC1F6B9AF7C497B4EE1F1F3F0FBEF63EB14E8796B25AE72021-04-22 20:01:38.544 10341000x80000000000000002592534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.544{21761711-83AE-607D-1D00-00000000BB01}19605400C:\Windows\sysmon64.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.174{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.174{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D94856AFFA1DCFAE546AA8446A9E3313,SHA256=7A252B97E3FBF05FE79669F4F15F31E72A2B756DBC2CA018F6EA8E29DD6CDD0Efalsefalse - insufficient disk space 11241100x80000000000000002592531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.174{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.174{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8C852598AAD8AFFEB6FF10321B52CF9,SHA256=A388642A0770CBA6A5F9D01A97AD8E3FB0CABA2DF5BC1991A5A65FD68F96F6FCfalsefalse - insufficient disk space 11241100x80000000000000002592529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.007{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:38.007{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265E0B77E8DD0BEFDFE2CCC7FF129334,SHA256=6AC47B1FB4F202F2948E5C230AE11208C0476B34D70C15AC63C0401839FA366Efalsefalse - insufficient disk space 10341000x80000000000000001590745Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:38.009{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590744Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:38.009{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590749Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:39.937{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED858AF6D21AE091EF9A9CE9BEF53BD9,SHA256=569579DAFE5C00EDC93AF484B85E36196835E439148669BCA69BEEDE9D2778C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:39.013{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:39.013{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8A02ACA53CFCA47B754EDB95296B6D,SHA256=1CC12503DE4A405B1BCEF882202C52E6531AE37C1DB94325A770A040CD71209Bfalsefalse - insufficient disk space 10341000x80000000000000001590748Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:39.010{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590747Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:39.010{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590753Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:40.948{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6DE8A802B46CB5877671ADAB1094F7,SHA256=A5A2CC5458FFCEDCA8A68963A340980116E5ACB6A405A2F831DD68001843DD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590752Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:40.442{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9492EB01A4246DABBE7F7A9CC8CA9BF,SHA256=21E2546DF8325ED7DF291D902E9A277E1D8D0D484FD791434A89B58246BD52AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590751Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:40.010{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590750Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:40.010{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002592544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:40.433{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002592543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:40.063{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:40.063{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED1FF10F19888962F86C3282C61C909,SHA256=3A3E97326B5A3A73EEDF2AB6DFCF88B507EFEE6C31BD0F24C0A053B75B36D7E2falsefalse - insufficient disk space 23542300x80000000000000001590759Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:41.956{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A33FD0D86079CE92DAA4CDFA8CCD9E5,SHA256=587A88E7FCBC6937B2D5890018C77030ED5844B77DDE82E6F12636423A4DA575,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:39.895{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52584-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002592548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:41.435{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:41.435{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D94856AFFA1DCFAE546AA8446A9E3313,SHA256=7A252B97E3FBF05FE79669F4F15F31E72A2B756DBC2CA018F6EA8E29DD6CDD0Efalsefalse - insufficient disk space 11241100x80000000000000002592546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:41.097{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:41.097{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AA7800C8C47397E4165696773F68AA,SHA256=6AAECD536A3CE49CDFA38C537EF6FE202EF841C47CCB132DBBB65C74C6E1871Afalsefalse - insufficient disk space 23542300x80000000000000001590758Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:41.742{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14528B115269F657FC204D28629DA84B,SHA256=ED5B943703E08C1F3449A490ADFFE6C027F477FD03F6BBC0C18522ADA24940F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001590757Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:35.748{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26350-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001590756Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:35.647{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26349-false10.0.1.12-8000- 10341000x80000000000000001590755Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:41.010{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590754Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:41.010{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590761Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:42.011{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590760Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:42.011{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:42.152{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:42.152{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5606C40DCAE83244415C454B4B844999,SHA256=E93145E080F5079013C92D1F9B85F83D5DB15F206B5E676E93887CF3051FD69Ffalsefalse - insufficient disk space 354300x80000000000000002592556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:41.631{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52585-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002592555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:43.186{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:43.186{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC91F7EC7B9F3B8366C259CFCAF5086E,SHA256=1450D98D55E4163D593717636DDA8861B1B2EA5035B0F0C6E2195CE615504AACfalsefalse - insufficient disk space 23542300x80000000000000001590764Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:43.071{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA47BAAA709D745A549B041822FB4EC,SHA256=21206BC269D5D834FEABB3D697A07C27C530A26EE419AC3CE67AC2238A882482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590763Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:43.011{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590762Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:43.011{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:43.170{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:43.170{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E2592CF4FE6AD03BE2A4EA8A9F42054,SHA256=A776F3629271F64B2FA8A7BED53FDF6BF34834E325BB41AA7FDF7EDC81E7A3E3falsefalse - insufficient disk space 11241100x80000000000000002592558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:44.304{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:44.304{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413213D55D64D7DE69CFEC877C3E05F8,SHA256=F884938D275B74ADCDCD480FBA5D6E9E1E0908A4242A6A16C2EFA77851135071falsefalse - insufficient disk space 23542300x80000000000000001590767Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:44.177{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B343F89096A6BB0FED063EA8B0568C,SHA256=E37AA3A121D791B9021A1EDBFA53BD5BCE706F6DB50A57A08A225998764CDD61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590766Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:44.011{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590765Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:44.011{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:45.425{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:45.424{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308026F79AB770C61F94316C00D9CD80,SHA256=6C6B85E67C8C12BC9F9F063F88082AB6CECE6824241A147BCD997846A3BD73F4falsefalse - insufficient disk space 10341000x80000000000000001590772Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:45.397{761B69BB-818C-607D-1600-00000000BA01}13044932C:\Windows\System32\svchost.exe{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590771Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:45.396{761B69BB-818C-607D-1600-00000000BA01}13044932C:\Windows\System32\svchost.exe{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590770Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:45.182{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79A09CBABF4026E01A8218C8FA2E717,SHA256=1C682EBE2CD7A620DA5D1DC9DACF679EB9A73056AE899D7993EB93D872D9A200,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:45.260{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002592559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:45.260{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 10341000x80000000000000001590769Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:45.012{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590768Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:45.012{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:46.528{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:46.528{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C901AF0864E396F61B4426581DB8DC,SHA256=5E6E4CC56DFEB26A141251D8DB229C503BAF429F33BAE0DE12CD67471AD3FB1Cfalsefalse - insufficient disk space 23542300x80000000000000001590776Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:46.463{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=CA4EAE6BA89C0BE92A57A1B4AD7BE787,SHA256=26E6AF0627FD80B24E4E2B56841AF4B4125CA9F93C481D414D34776880994C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590775Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:46.189{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D0D69468C53EB0E29E5A7485EDEA67,SHA256=3705E1E708CC8B6B92D7223BC8BBC730D87CB94EEF0B715680CD9B2E7B2D2A52,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:46.262{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:46.262{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A132C28704A564EB43BC0345E6EAEE4,SHA256=451EE7C767C7A5C2FF119B8284F11300A6665DCD4584CB468DF1316B3CEAFBC2falsefalse - insufficient disk space 10341000x80000000000000001590774Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:46.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590773Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:46.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:47.550{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:47.550{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5EEB215B0F9B0FBAE7521B204C9796,SHA256=39BCE7AD3804054D61519827C118D6AFEA595C53D3925597A9A738B708347107falsefalse - insufficient disk space 354300x80000000000000001590782Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:41.526{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26351-false10.0.1.12-8000- 23542300x80000000000000001590781Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:47.197{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01BE3EB2058340C311F4A986057500C,SHA256=2EFEBC42EA8DF20DF3673052FBD710A54A625BAF404BF85F04D1904C15EFA19B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:44.722{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52586-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001590780Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:47.095{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8DA504FE25D13323A527248D09BE4A2,SHA256=54D1ADA3594761C615A8723BB8E778963C5D0D9F4B0E9BC139A402177EC44549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590779Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:47.094{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D0BDDCD2D896F228B563AB5E4D140A2,SHA256=E1494E129C30C0E541331B160C4C2664BAFE8F2C24531E691D421D20F7ECDCC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590778Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:47.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590777Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:47.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002592574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:46.643{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52587-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002592573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:48.552{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:48.552{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D8F26DD9D0B3B5E36CC67B405FAA6F,SHA256=4B9D8DC872559685C2E6B07DCFE5CBFFA2911BD250D819527B324B54FF54B0B5falsefalse - insufficient disk space 23542300x80000000000000001590785Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:48.201{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79C2EE592FC27EB799D432FB47697B5,SHA256=1720FC19DE848F82F8AC4365F3889EED82AC7EBA84865C4050A4C1446CF17771,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:48.182{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:48.182{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81E55666CF96D96C72FC11955CF8770D,SHA256=789064818C439C997A1412AEBA3EC068E2F41D536364F7C330D8A2D0DC64B081falsefalse - insufficient disk space 10341000x80000000000000001590784Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:48.014{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590783Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:48.014{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:49.570{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:49.570{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C63B9DCFCE6A2D0BF247D744CC1AA73,SHA256=9F20C47B843EF154ED6262FDFFB343C1AF66E61C3A4790298FD427DFE992D7BDfalsefalse - insufficient disk space 23542300x80000000000000001590788Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:49.205{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1E92D3560EDC1642A093EC4BCF2E37,SHA256=2BBD7D0D6D0B5C9F7C179BB72D773D4537A737FF0547D6BD78F80D08E1EA4E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590787Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:49.015{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590786Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:49.015{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.804{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.804{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570E45FEED5AF8198123E59C02381FC9,SHA256=785D71C382606168ADAE53D5D6AEF1EF3592C4CE3D06700FDA5796B75FC15E1Afalsefalse - insufficient disk space 11241100x80000000000000002592647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.604{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\file2.txt.0012021-04-22 20:01:50.604 23542300x80000000000000001590799Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.212{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35F44A2E870EAC8CB9A788735AA0B73,SHA256=CCFA5605212AE1023D539BA574AC883C5DCCA4188B71330FB94B71A92F4478F0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002592646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.dll19.007z Plugin7-ZipIgor Pavlov7z.dllMD5=E7AE42EA24CFF97BDEAD0C560EF2ADD1,SHA256=DB2897EEEA65401EE1BD8FEEEBD0DBAE8867A27FF4575F12B0B8A613444A5EF7false-Unavailable 734700x80000000000000002592645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000002592644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000002592643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000002592642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000002592641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000002592640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000002592639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000002592638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000002592637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000002592636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000002592635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.488{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000002592634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000002592633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000002592632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000002592631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000002592630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000002592629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x80000000000000002592628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000002592627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000002592626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-83AE-607D-1600-00000000BB01}11085396C:\Windows\system32\svchost.exe{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002592623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000002592622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002592621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000002592620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002592619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000002592618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000002592617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000002592616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000002592615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}26567640C:\Windows\system32\conhost.exe{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002592614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002592613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002592612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.472{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000002592611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002592610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002592609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000002592608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002592607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002592606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002592605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002592604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002592603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002592602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002592601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002592600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000002592599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000002592598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000002592597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002592596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002592594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000002592593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.466{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.exe a -v500m -mx9 -r0 .\file2.txt 734700x80000000000000002592592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000002592591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002592590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000002592589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002592588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002592586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002592585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000002592584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000002592583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000002592582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002592581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\Documents\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exeMD5=AFC08CE359E79887E45B8460E124D63E,SHA256=A20D93E7DC3711E8B8A8F63BD148DDC70DE8C952DE882C5495AC121BFEDB749Ffalse-Unavailable 10341000x80000000000000002592580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002592579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.457{21761711-D5A2-6081-2A8A-00000000BB01}69567212C:\Windows\syswow64\rundll32.exe{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+159f9b(wow64)|C:\Windows\System32\KERNELBASE.dll+159c4c(wow64)|UNKNOWN(0000000002D938CE)|UNKNOWN(0000000002D973FE)|UNKNOWN(0000000002D97521)|UNKNOWN(0000000002D9767B)|UNKNOWN(0000000002D92780)|UNKNOWN(0000000002D97EDB)|UNKNOWN(0000000002D91506)|UNKNOWN(0000000002D9880C)|UNKNOWN(0000000002DA5C9E)|UNKNOWN(0000000002DA5D46) 154100x80000000000000002592578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:50.461{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exeC:\Users\Administrator\Documents\7z.exe a -v500m -mx9 -r0 .\file2.txtC:\Users\Administrator\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=AFC08CE359E79887E45B8460E124D63E,SHA256=A20D93E7DC3711E8B8A8F63BD148DDC70DE8C952DE882C5495AC121BFEDB749F{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeC:\Windows\syswow64\rundll32.exe 12241200x80000000000000002592577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:50.457{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000001590798Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.203{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D62E-6081-9088-00000000BA01}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590797Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.201{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590796Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.201{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590795Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.201{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590794Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.201{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590793Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.201{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-D62E-6081-9088-00000000BA01}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590792Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.200{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D62E-6081-9088-00000000BA01}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590791Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.200{761B69BB-D62E-6081-9088-00000000BA01}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001590790Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590789Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:50.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002592657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:49.919{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52588-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 534500x80000000000000002592656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:51.835{21761711-D62E-6081-3C8A-00000000BB01}2656C:\Windows\System32\conhost.exe 534500x80000000000000002592655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:51.829{21761711-D62E-6081-3B8A-00000000BB01}7228C:\Users\Administrator\Documents\7z.exe 23542300x80000000000000002592654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:51.819{21761711-D62E-6081-3B8A-00000000BB01}7228WIN-HOST-5\AdministratorC:\Users\Administrator\Documents\7z.exeC:\Users\Administrator\file2.txt.001MD5=EAE56EC9018EA062401E82A54BE85A5B,SHA256=B7A0C88F9E03C25CA8C134066A7FF2C2B91C849FDCB493320546DA9CD51E9F51falsefalse - insufficient disk space 11241100x80000000000000002592653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:51.620{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:51.620{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E19A7C2A8EEF82CCDD26E249337DA07,SHA256=DA2BD3DBEA60FE3BF2EA2C4262FC86B03E295F1C434D7B8311525727DB08720Ffalsefalse - insufficient disk space 23542300x80000000000000001590803Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:51.216{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE80B3F2201E0617244E73F9EE0E2078,SHA256=FC515F80AA5EA958F1E2557CF70E7D46DDE23F0330EC3389233DCFE23FAA68A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:51.467{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:51.467{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E27DFD80AF146C04D5A0E26063B2C19D,SHA256=CB6EF566A4F2D3DFAA2680F02B91AC9336C02CD5B6137ACE74F7B5F1FB6927C4falsefalse - insufficient disk space 23542300x80000000000000001590802Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:51.206{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8DA504FE25D13323A527248D09BE4A2,SHA256=54D1ADA3594761C615A8723BB8E778963C5D0D9F4B0E9BC139A402177EC44549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590801Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:51.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590800Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:51.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.964{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.964{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45C4DA8098460D62918A41F83CCBEBC8,SHA256=37A8BE006634754798EC9100D1BF7F2BD1DE215E83E891AE2E7E9B5466009C5Dfalsefalse - insufficient disk space 11241100x80000000000000002592669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.632{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.632{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EE438087A443F6DE408E1C262BE52F,SHA256=8E60973025B306E0846EC774E7EA477549DA4848C60ED427F5A79620BF95FA59falsefalse - insufficient disk space 354300x80000000000000001590810Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:46.669{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26352-false10.0.1.12-8000- 23542300x80000000000000001590809Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:52.466{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FBAAB50BCCAD694140F22FAC38BC4685,SHA256=05BEF37A4080E9C8D388A38E564945CE3C3D2EC34E508EAC140542A8176E5784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590808Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:52.371{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590807Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:52.253{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81F04A22D8B715F2BFC594B74845FA1B,SHA256=04F89B2A64DBCE7CC1F635480A70403DD2FA3B00C288FCC0AD57C32D04A142F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590806Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:52.219{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BC452D7015637191E870B6B5C4F6AD,SHA256=5EE92F483BBDC34A24B7DDB1029AB8BF2E0088C568B150F7B96DB7CC96683EC6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002592667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:52.516{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000002592666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 20:01:52.516{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d737b2-0x567889fd) 12241200x80000000000000002592665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:01:52.516{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000002592664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.516{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000002592663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.516{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002592662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.516{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10e2757f.TMPMD5=0A3987995CAABA9D2D05576BFBDACCA4,SHA256=134B5D92AEA1E4DCEEF95C6317D978F0F8DF8AC008963BBBF96453B3409DC3FFfalsefalse - insufficient disk space 11241100x80000000000000002592661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.516{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10e2757f.TMP2021-04-22 20:01:52.516 254200x80000000000000002592660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.516{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9BLQBLNN9RWG30A4OB0G.temp2021-04-19 13:28:44.7592021-04-22 20:01:52.516 11241100x80000000000000002592659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.516{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9BLQBLNN9RWG30A4OB0G.temp2021-04-22 20:01:52.516 10341000x80000000000000002592658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.478{21761711-83AE-607D-0D00-00000000BB01}7926408C:\Windows\system32\svchost.exe{21761711-D4C7-6081-FC89-00000000BB01}5500C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590805Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:52.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590804Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:52.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:53.681{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:53.681{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871DE372897855837FE281BC899A77D5,SHA256=89567962B9850F18B90D43525B0407E8A37F2DDA0615CDBAFE1D04D270914FF6falsefalse - insufficient disk space 354300x80000000000000001590815Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:47.801{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26353-false10.0.1.12-8089- 23542300x80000000000000001590814Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:53.593{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=936CFEB7F173C37A6C8B08EDA107EA0A,SHA256=8D501F2ED2E970A6179C4110499244008F9A2414394CED58FF4DE9D9FC6861D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590813Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:53.223{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11F3F502A597F1E6A9A4F15513F00CA,SHA256=6627CF1D6F369FDE1DEAD9840D3949FBF98362F77DE60415570F2CF480434B2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590812Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:53.018{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590811Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:53.018{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:54.720{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:54.720{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB11C474235AEDC8850448ABEE7D66E,SHA256=8359D851547328D3CDAAC75592066CC5150E86E8B2A51988FF769B4B58EF5C7Dfalsefalse - insufficient disk space 10341000x80000000000000001590835Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.672{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D632-6081-9288-00000000BA01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590834Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.671{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590833Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.670{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590832Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.670{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590831Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.670{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590830Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.670{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-D632-6081-9288-00000000BA01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590829Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.670{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D632-6081-9288-00000000BA01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590828Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.669{761B69BB-D632-6081-9288-00000000BA01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001590827Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.281{761B69BB-D632-6081-9188-00000000BA01}65484136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590826Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.233{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A990A07CC03728C2D98235694DE7AED5,SHA256=DA0E8B1A6F7812687BCC9A5311C129E4F2996047925BBFC1F1BC3CC7F79139D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002592678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:54.652{21761711-83AE-607D-0D00-00000000BB01}7926408C:\Windows\system32\svchost.exe{21761711-D4C9-6081-FD89-00000000BB01}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:54.652{21761711-83AE-607D-0D00-00000000BB01}7926408C:\Windows\system32\svchost.exe{21761711-D4C9-6081-FD89-00000000BB01}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:54.652{21761711-83AE-607D-0D00-00000000BB01}7926408C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:54.216{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:54.216{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=759BB7AA015F2AE903688161C74211EF,SHA256=AD00CCEB68D9C4B1E762D0B7F8CE5C4B2D52F2E619B499D018F1FC7013D855C7falsefalse - insufficient disk space 10341000x80000000000000001590825Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.141{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D632-6081-9188-00000000BA01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590824Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.139{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590823Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.139{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590822Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.139{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590821Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.139{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590820Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.139{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D632-6081-9188-00000000BA01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590819Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.138{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D632-6081-9188-00000000BA01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590818Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.138{761B69BB-D632-6081-9188-00000000BA01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001590817Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590816Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:54.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:55.920{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:55.920{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15983D9A44D7BEEA933E751B53FC0581,SHA256=23A55A860F8FF4ADCFCD3EA1235D7F0ED6BA807002A125D924F1E8607F1B0602falsefalse - insufficient disk space 10341000x80000000000000001590848Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.325{761B69BB-D633-6081-9388-00000000BA01}7165592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590847Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.250{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60562BF0209F8FC725310EB7606EADFF,SHA256=344586B6B6CAABBD2A9282E054470A1F63C640002681C0A4A0392793995D99C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:52.674{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52589-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001590846Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.189{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D633-6081-9388-00000000BA01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590845Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.187{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590844Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.187{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590843Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.187{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590842Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.187{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590841Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.187{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-D633-6081-9388-00000000BA01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590840Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.186{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D633-6081-9388-00000000BA01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590839Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.186{761B69BB-D633-6081-9388-00000000BA01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001590838Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.155{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E416557F3062D19A5F7C8EB21668F4B4,SHA256=60C8AF17F5B3EB4F116065BC04EAC301C0C386F7CE04F3289D910F554CE4DB2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590837Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590836Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:55.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590852Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:56.256{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB21889FBC812F2C5AD73D777F49F8BE,SHA256=3808EB0730B6C232A9E9C38A7B8118F208CB93D0878C9E866D2310C01D72E64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590851Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:56.205{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84CF23392AA468B19264C2FBC41EF0D1,SHA256=86A065B505E3AF3EBB753FC9740833DADE7C54E74FCC19970B3E6550C2EA2194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590850Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:56.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590849Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:56.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590855Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:57.261{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FB194BE49EE050160F819C205FC826,SHA256=39C4F0CFE60EDA7734306C8600FD25A99643FA0645962B6BAB00ED03055EEC4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:57.042{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:57.042{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F741996126E1DBE9DFC44885C90E53D7,SHA256=785C2E2C51991F3005D88F2A0C2315AAAC5439872A9E7022F29059449A756B53falsefalse - insufficient disk space 10341000x80000000000000001590854Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:57.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590853Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:57.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590876Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.989{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D636-6081-9588-00000000BA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590875Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.987{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590874Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.987{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590873Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.987{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590872Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.987{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590871Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.987{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-D636-6081-9588-00000000BA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590870Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.986{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D636-6081-9588-00000000BA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590869Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.986{761B69BB-D636-6081-9588-00000000BA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001590868Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:52.551{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26354-false10.0.1.12-8000- 10341000x80000000000000001590867Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.308{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D636-6081-9488-00000000BA01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590866Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.307{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590865Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.307{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590864Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.306{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590863Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.306{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590862Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.306{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-D636-6081-9488-00000000BA01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590861Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.306{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D636-6081-9488-00000000BA01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590860Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.305{761B69BB-D636-6081-9488-00000000BA01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001590859Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.267{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83381BF8F77B480ADE10F001DDC33BC2,SHA256=8EC44906855AD239CC33E7E801CF529441FE573F35E365FFECB8CAB07E83216C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002592688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:58.392{21761711-83AE-607D-0D00-00000000BB01}7926408C:\Windows\system32\svchost.exe{21761711-83AD-607D-0C00-00000000BB01}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:58.060{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:58.060{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56F7846A2FC317342C9C8F8E0B98B1D,SHA256=F21421F95510F4B5182BA045AD2FD6D0320331637BDF0F608E76FD3504694856falsefalse - insufficient disk space 23542300x80000000000000001590858Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.134{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88DE560DC4A7B501EA7BC94335CEAE8C,SHA256=5E4518A851DE5F7A9AA81223EE91A51938F90C8F25CD230CDECBDAB3D51B981C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590857Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.022{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590856Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:58.022{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:59.363{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:59.363{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DFBAF799808CFADD6216CCEC6D96277,SHA256=68951A2E3ADA9B0B987806C0F6A5399C23EA49187C66F85719058983262CF71Afalsefalse - insufficient disk space 11241100x80000000000000002592692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:59.363{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:59.363{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B557A1A988EC4680A185BBDF15B1FCAA,SHA256=9219A6074912807B333CE2C4319EF77AB133E5E14A2A9464034572F5BCF81D9Efalsefalse - insufficient disk space 11241100x80000000000000002592690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:59.128{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:59.128{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC34327852519E8C1913D6698B9AF6A6,SHA256=138CC8F216DCDF0F1E3477C9B2C0F4765B9F3FE58469E255F61A72A31E8C571Bfalsefalse - insufficient disk space 10341000x80000000000000001590890Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.808{761B69BB-D637-6081-9688-00000000BA01}61882928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590889Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.658{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-D637-6081-9688-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590888Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.656{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590887Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.656{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590886Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.656{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590885Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.656{761B69BB-818C-607D-0C00-00000000BA01}8445976C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590884Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.655{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-D637-6081-9688-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001590883Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.655{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-D637-6081-9688-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001590882Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.655{761B69BB-D637-6081-9688-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001590881Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.400{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DECA7EA837BB0AAED1974AECA013FA0,SHA256=DD80FC916CE40602F2A84E1FA4D7F71ED45E44DF559C7FAA2526E13AFBA9B0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590880Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.279{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7960DA955F18A8071C74E1B24E18713B,SHA256=D501B3F7077D7F8D99DF7C68E5D1C65ACFD21B65F4985E7C74209D3CB992B36A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590879Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.123{761B69BB-D636-6081-9588-00000000BA01}25682824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590878Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590877Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:59.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001590894Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:00.683{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B5DE9BD09887EAA38F526590A44C7B7,SHA256=18F1F89DA4F81B667535EDBCC35DF6D859D40A020A20032546564B57C4A3BFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590893Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:00.287{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2D0E37CABFA2B3404E93363B39CC80,SHA256=F940C2082FA26E333336AFEDC72C6781D05B96E901B9B84FE2638DD89A649D3C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002592697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 20:02:00.466{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002592696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:00.281{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:00.281{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4473FE89B3EFAA65886247EAD97B866B,SHA256=DC03FA7E7E044AA07D57A73F45C106ED4DF4726AAC1A0E24A930AA675F577B71falsefalse - insufficient disk space 10341000x80000000000000001590892Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:00.024{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590891Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:00.024{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:01.553{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:01.553{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DFBAF799808CFADD6216CCEC6D96277,SHA256=68951A2E3ADA9B0B987806C0F6A5399C23EA49187C66F85719058983262CF71Afalsefalse - insufficient disk space 11241100x80000000000000002592700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:01.368{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:01.368{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528AE050EA0F03D52C6B9B1CAAD48FBF,SHA256=7C0ED2FA2E6F7D2384FCA55C177065C124E1EC6EFF9D1EAC23F423737433494Bfalsefalse - insufficient disk space 23542300x80000000000000001590898Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:01.905{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4280C4F757F695A43AD23118FD61DB6,SHA256=28FF098326F8284EC075A0D4454752B0A743A4F408957FBB458838F90866ED23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590897Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:01.296{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46B2187DA7C48BA5F45CDD03E037C94,SHA256=0EA3893AA5B14B58A2AA25126AE08D3D966EB377FD9C543B0BE35CD4BA7D6B27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590896Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:01.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590895Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:01.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002592698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:57.708{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52590-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002592705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:02.436{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:02.436{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481F7E16CA0D7A99A24FDDCC0F37EAD0,SHA256=2C1FDA9119E0D67D02810C2733B0C227A4130042F3E0E0AA95EA4D1F66D79B5Bfalsefalse - insufficient disk space 354300x80000000000000001590902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:56.291{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local26355-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001590901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:02.311{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4586D672A3641CF0FA45FB58A93CDCBE,SHA256=B8D775D9F27461AA2EF455AFF66DB192641EF6AA059EDE9E2310115D739C7D1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:01:59.929{21761711-D5A2-6081-2A8A-00000000BB01}6956C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local52591-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001590900Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:02.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590899Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:02.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:01:57.679{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26356-false10.0.1.12-8000- 23542300x80000000000000001590906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:03.316{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C443F5324BB6021F0A807A458009DD6,SHA256=72077B5057BC5F5717142EC404F16D7F5FA65A481A3DE1D0923A6284405D6506,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:03.438{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:03.438{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D711E1B006D290391DC9C9B3063EB9,SHA256=0B3AF752780FABB95D2FE140940DB252B81827B6A82E098ECBA0336D7EFB0360falsefalse - insufficient disk space 23542300x80000000000000001590905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:03.252{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3B932BE5A46AF16E694BCC559DC767C,SHA256=B9A99274B9E5962C5852167DF6C24BFFB8BC4D1123356D90101C3329E49AF516,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:03.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:03.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:04.441{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:04.441{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020A84B2885A3178E3F9AAD6C354DF08,SHA256=7F4F21C548328272B4BB9060B613C86406F0C82994FC558CDA70F7DFBE6AA249falsefalse - insufficient disk space 23542300x80000000000000001590910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:04.319{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCD7D08D0190614F663B889F2B96052,SHA256=E6711E32616CF1A4A9773A96BEE8D026042DDD2B38D16FDC0262B67FE32C504A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:04.027{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:04.027{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:05.443{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:05.443{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDEC66A55CB5B43A93E6C009EC83CB2,SHA256=F3BBBEE2FE85DA6E36E7EE70BF6898F829607458729636B0202C29CAB894B0C1falsefalse - insufficient disk space 23542300x80000000000000001590913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:05.322{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FF6A0B6933FEB2D29CF09CEFEACAF2,SHA256=D1F5CB6334074F7EBD0C7E53BB63C9B691D794799CF70DAC84BAF822AB99EF80,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002592711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:05.078{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002592710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:05.078{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34EA800CEF607956C64EF518F8C80BB9,SHA256=77FD2CF213C3685D44FEAF13E48CACB335D650D46CF0E26DC5EA3877B18962F2falsefalse - insufficient disk space 10341000x80000000000000001590912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:05.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:05.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:06.612{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:06.612{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBACB0B2C8DDA082BBF064106BE2C24C,SHA256=6E42ADA49AEC35C0BE4D1A3F1F4871E93488C0DF4E8A4EDE30C3B7A23D4667FAfalsefalse - insufficient disk space 23542300x80000000000000001590916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:06.324{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72AA3E9E98C127EA1E3ACD95523E120,SHA256=6DA4EF96A51C129B7838CC3B2B265AFAABD9C607F408A64F5C8F38952208C68F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002592714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:03.503{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local52592-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001590915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:06.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:06.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:07.630{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:07.630{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51C528610F163EDE0FDC00765044C66,SHA256=E03246ABC91F9D0A9ED3CD04F12A7A4A5E8BA9F810D493A81D9E594D9A50FBC5falsefalse - insufficient disk space 23542300x80000000000000001590919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:07.335{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAB75AE3E8A95D7937388DC917A4551,SHA256=D8B32F8D8A6AA2523521B5A00217BE4653D2BCF5F2DE979E10BFD5330C8C97B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:07.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:07.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002592720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:08.650{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002592719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 20:02:08.650{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1940ABC8F3FED982A05AF7506A5882A9,SHA256=11C0EDED699C6909D6712DF2646C108CDD3990085B6D8AF82E23FD54AAA7B7ABfalsefalse - insufficient disk space 23542300x80000000000000001590922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:08.340{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391C6C8555D4F47750B570D3137DEDC6,SHA256=A9B0724B9ED959C192F978EE6FBE2D6BD148A0CE7B0B4EB152B8484E33E2453F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:08.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:08.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001590928Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:03.571{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local26357-false10.0.1.12-8000- 23542300x80000000000000001590927Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:09.347{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9319C1E86B379A33A2696DBA1C5E5E1,SHA256=6C121EB5693972FBAB20ECFFCDF474F6E34AEED33811CD622B44E6E58CEAAEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590926Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:09.178{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E157833DC4E6122662627264635A4AB9,SHA256=4AD04E12BE5286C9E3985E7F70BCC29634B9F34B3DEFFC113AECE22A660CB524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001590925Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:09.177{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2974FB8AFA379E4E3F90527CAEAA5088,SHA256=5A862F294CD76EF57CAA114100A5B50AEE93037A5091774A7E3448218BD74266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001590924Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:09.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:09.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590930Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:10.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001590929Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 20:02:10.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000611679Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:03.986{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E527F3DD3B90B80ABDCB5885D254775,SHA256=3FF4627DD058363D587EC0C99431D057450C216AE8F18D60B9C9F9867E4887BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:03.771{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAF9A2A6BF9D8406CB2FEFD55CB346E,SHA256=EF47284165FC1DC800CBDDED71C9AFFAE093A6CC84A096F9087BA748CA51D5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:03.739{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5EC0B2420293A370D3ACB30CBF89618,SHA256=4156E5611F041A6EC0FF43D9BFF4D060BD2338EAFF623FFBCE66EDA72E9ACC4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:16:59.591{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58176-false10.0.1.12-8089- 23542300x8000000000000000667752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:04.802{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3450D9AD5B305B17ACACE40D9F34955,SHA256=3E00598329BA44D666A04195217323477AF2054E69B9C1467E859AD1F55A4789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611680Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:04.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEB3918C84BE15DE260A484BDC0D825D,SHA256=5D116760822FD7E8918D5BEAF3F16A3FC9EE3CD655670D40F417AA5F2A6997CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:05.817{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0ACDF37DF4643DB135C2E45DAC12C8,SHA256=295BD0F5AF7DB4852C412A60C400459FA24D94538FD878C9C82795563A008619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611682Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:05.001{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D55ED2FF54D347DB63319559904A31,SHA256=D2DA93B262A2A72359455178860F9437F5DB13F0673AB027D1B49328FFE1D3AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611681Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:02.063{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50818-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000667754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:00.528{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58177-false10.0.1.12-8000- 23542300x8000000000000000667753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:05.177{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C3CBBA5571FB754AAA052927650AA01,SHA256=75932392E2DAE3CC243634EAB68D40F29FED3EF6BDADFFE21FE760C1CD1BD22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:06.864{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF8DC3C8B15D589C96AACBE232683C3,SHA256=B541DD32CE75322D89DC95249EAB2BF42C52A4747634D9B8CCB2172CF72CE34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611683Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:06.001{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472306F5DB355F3DAC168FB71D9CDE3F,SHA256=1157F030AFFE9AF5AC0EF9C1E027C123DB43154BF9457CFB5B04318D0D296AE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:02.419{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58178-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000667757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:02.419{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58178-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000667756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:06.255{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F6181727F4662389853D1854F2F4BD5,SHA256=693F9F0CAB31B20735A64199A945285C161991B9DBD0B9F0939E3921C179CB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:07.864{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987EC88D49A411D72C6E01D3E2ADB3CA,SHA256=8D81E452B662D40F574CD583DBA1B784EA1F7655D6DD5BD31FFB670F469E24EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611684Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:07.001{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882D0558B472FE74330F39E4A7823C3E,SHA256=7BF6A6CC64DFC49DF054C1EC7F14BCEE6AC3C45CDF58A923BA08DE2CE1033503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:07.474{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E980677B08862EA9A772068C331BE30E,SHA256=59AB9BD1C72077334529D27C45D957F57A60E30CB3E2D8D418A93353A6E5AFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:08.880{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D526C7F6BD1B3345309354DC0CEDD3E,SHA256=E0D72FC4F678A2D870AC007BF2FB2972342EEB470BEEB60F7004796C682EAE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611685Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:08.001{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221C7BCAE4EFD537362076531152E377,SHA256=D3F1AC441BA21F001DA3617480EBC2477A19BEDB29A854F13DC752E2E759F3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:08.755{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C504B0B749B84692B7942A409867AB8,SHA256=F0D7FE1436DC821293A51DD74E776BED83C699E93FD3C08F44A601130DE14E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:09.911{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096D221FB40CADF54A84F2243E87697A,SHA256=7FD45FD115974C3805FB4FD68E1BB247B4E83494C71AFD8A736C6063DBF798D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611686Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:09.017{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81FECE7D5D0D0B510BF44709A797C82,SHA256=446CBDCAC9ECDB6974C13152964DE3BA2EC639322FD1016885C28AF7E2BB1FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:10.927{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7839157CA5197BC631FB82A77C1F7B42,SHA256=373AFB528D07325840D4BB1392DD6AE1D6E275882C2B245C7226D8AD04C7930A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611690Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:08.016{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50819-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611689Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:10.220{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41A96D1AFF2B02D4E7A1665698D4D315,SHA256=D6E995B9015875FD5F05AD8D88C329A9C26184699B1E0C9143EE0A3D40541C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611688Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:10.220{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45E23139F0AC7F767DD63A8C3B211137,SHA256=E793540B787EF3CE0FC524F259688043269B296663D8595B9D1E96D4A25F1A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611687Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:10.017{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7799BF45FAE4DB27B2FC6E59C86879,SHA256=2847C01E1A9EB47F6F0B89C36696C5C805DEAC15E1AA4C230515B2F1DC8F9184,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:05.591{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58179-false10.0.1.12-8000- 23542300x8000000000000000667765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:10.208{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7747CCA0A1991D9113832ABC79C9DD15,SHA256=58FEC26389E466ADFE4B465BA3343B80B5D011072FF775A499D9F8940A24162F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:11.364{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BBC7688A7678085B4863D61D7C83087,SHA256=2AB74A7D1B82F06B4A415ED05FF497D574825A4A8E931708D34966ACDBAFF758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611691Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:11.017{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EA6FBA0DC1EB84D35337F47BF799CA,SHA256=74D791F5894BFE2FA5688D5CF72EDD707000A4FA8ED0674DC5B38FE749004247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611692Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:12.032{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340E3868F40268D2F5D2AE13B9E3EFFD,SHA256=CE385C48D805B95A9F8B7B2F1BFD9456B5B7D34C3B9259EFAC4D713FA10AF76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:12.380{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760250AAB5F10F25C4FA7E6F660FC340,SHA256=F68CCEF7C8C9437F60EB7F75B97C29C6C58DACABE4072597DD21FEA8614195FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:12.052{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D7511864B9D12C6B7B6E07539A9229,SHA256=338BB4FEB64248C810936C3F3D82C2F0B2B9F46FCFCC0F9E04A8602D7F138E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611693Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:13.033{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026E1084C61B322B8CEFB60A3C771077,SHA256=C73E5990B8198A0E776963F0F05A6C1A4EC688224A57C02ABD6D30865E9143A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:13.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=411CE5D4A8225E1FED3CFB88750E71F0,SHA256=23488CFDC9A98660424B3ED5EE820C36485204F42B82E1572C5E51FD8EA02D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:13.067{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB753E1BBB4C9BDE81AB23F460563CB9,SHA256=D6A42CC542F1DCFBE5A387DE0B0144FBAB3C2056362B1425A8E749EF15C376B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611694Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:14.048{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C1573E36317B7327BF68153E99A66A,SHA256=3DC724A7DF0F2FEB99BCC98B09FD0FE999DAAE0852439A8B17D35C8C4E9922D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.834{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F27A-60B8-D650-00000000C401}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.834{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.834{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.834{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.834{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.817{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F27A-60B8-D650-00000000C401}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.817{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F27A-60B8-D650-00000000C401}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.818{D419E45B-F27A-60B8-D650-00000000C401}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000667782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.786{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25535551203EF7B67EC7BFFC52BBEFE7,SHA256=66C00856B3390CD4F8913B6A4FB7DEC7BAF8B29289F85BFF3C03FA706CB20340,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.146{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F27A-60B8-D550-00000000C401}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.146{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.146{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.146{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.146{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.146{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F27A-60B8-D550-00000000C401}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.146{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F27A-60B8-D550-00000000C401}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.131{D419E45B-F27A-60B8-D550-00000000C401}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000667773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:14.099{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD14322DCE3EEABA18AF6ACC70DED33,SHA256=BDB7BC5B868888CDBFFF739F6A708946E19353591735D8D82E3C46AC977C11F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:11.528{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58180-false10.0.1.12-8000- 23542300x8000000000000000667802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.833{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7F9BD76EE592D9689BCDB59BF932DA6,SHA256=9BCC79A9F6DBDC36636C8A4F49F002FE82796E4E21695DF6CBE5888CDB1137E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.692{D419E45B-F27B-60B8-D750-00000000C401}24044404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.536{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F27B-60B8-D750-00000000C401}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.536{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.536{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.536{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.536{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.536{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F27B-60B8-D750-00000000C401}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.536{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F27B-60B8-D750-00000000C401}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.521{D419E45B-F27B-60B8-D750-00000000C401}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000667792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.333{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24F429BF3907064F6B36353B65EE8D8,SHA256=90EB9C09673C309C0F608D3E947E73966657C5ED7D7A0B1226C408C1B69A6A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611697Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:15.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBD27835CE00F9C2C1443945EE29A25B,SHA256=27AD9395AE77289F928B996D67936605F8B72B3774102B4EBB192015882A8727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611696Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:15.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41A96D1AFF2B02D4E7A1665698D4D315,SHA256=D6E995B9015875FD5F05AD8D88C329A9C26184699B1E0C9143EE0A3D40541C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611695Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:15.048{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2174300511264896C7FB165521B0F9ED,SHA256=5BBFACB6BB0295C20A7E98FCE1A15564C0A97E0E3E9854A366513D49590991CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:15.067{D419E45B-F27A-60B8-D650-00000000C401}63884436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.896{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F27C-60B8-D950-00000000C401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.896{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.896{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.896{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.896{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.896{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F27C-60B8-D950-00000000C401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.896{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F27C-60B8-D950-00000000C401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.881{D419E45B-F27C-60B8-D950-00000000C401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000667813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.396{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8C96865CCB4577B93E48CEFB97F390,SHA256=17B9DE132086182AE0D03E2E515E2DDF9D1845FF796666EBA7B90E6AEB8D7A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.380{D419E45B-F27C-60B8-D850-00000000C401}30003856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000611699Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:13.078{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50820-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611698Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:16.064{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5BDBC54E75D649E58ABAB63E760D7E,SHA256=F5FB9A0F1441DD9035C23A8BC526EAE39E73A70D326D561D0B2807848E30C6C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.224{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F27C-60B8-D850-00000000C401}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.208{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.208{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.208{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.208{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F27C-60B8-D850-00000000C401}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.208{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.208{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F27C-60B8-D850-00000000C401}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.209{D419E45B-F27C-60B8-D850-00000000C401}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000667832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.442{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F27D-60B8-DA50-00000000C401}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.442{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.442{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.442{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.442{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.442{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F27D-60B8-DA50-00000000C401}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.442{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F27D-60B8-DA50-00000000C401}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.428{D419E45B-F27D-60B8-DA50-00000000C401}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000667824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.396{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE078525D0D2E4E8948E046E7AFB4F13,SHA256=D6E2C8C7072F4A23D467ED3C2FCCA6E0036894828EC37C9E67F8BE0A0A06B8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611700Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:17.064{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2520EC723D9D133F00C01C4B58794351,SHA256=DFA2157B4230726D2192E783220486E8C0C4213AEFF9C3947DE5467D2A82C927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.208{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29A21BA1051E15EEB253E88EC033A7D5,SHA256=578F556BDC02D197466A00AEAC4217C2283E1E8093D6E75EBE40076390F46C48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:17.067{D419E45B-F27C-60B8-D950-00000000C401}38202208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000667842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B107B787B65DBA487E4BF7DA6B01087,SHA256=C9BF2B278A71D4085210BFB4D26FCD1BD0D1C319622CE730AEBF8514BE242260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A96B3D2B08DBA5B3B8E5B029A51063,SHA256=B8E169D516274B7B7F43CB1E9F207C2F40AF10931E00B2D7C075B72EBB92B1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611701Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:18.064{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F38ED2D1623F00B36E2694404970DA4,SHA256=3E5514EA7BC2188DEE1872387A9015360D37C57ECB031A0158BC43066B8E7072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.114{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F27E-60B8-DB50-00000000C401}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.114{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.114{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.114{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.114{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.114{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F27E-60B8-DB50-00000000C401}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.114{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F27E-60B8-DB50-00000000C401}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:18.115{D419E45B-F27E-60B8-DB50-00000000C401}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000667844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:19.749{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3C2CA5296F1DD2BD65BBE97A6C5C6D6,SHA256=C542530140157811755462430A295F5AC56CDA390E6A66AE8AE33C59BD219199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:19.749{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A7E5C812F4A56AE582B07611F09F25,SHA256=8744958D0E813B80D567A0FD12D6711A9707AE50B38F491AE876699E93864493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611702Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:19.064{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A1260BD5A8501DE41680DCF56DAF9A,SHA256=6F60678EA70CD436A1B2777FA15E8C502C48E8C524B4454875025281EC854055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:20.968{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E143D794140AF2E748395F16B9304C54,SHA256=B1633CABC42A5B94021AF91522B78C3FB772B704CFE1FE9A6AB7F7F9F3CDBD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611703Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:20.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639C23020292CB150932E8148C6E1D16,SHA256=C021B640D0BABEB0A740956E69D3F94A051758E873053D0650597CE0BDA47E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:21.405{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2CA777ECF13B8FDDA920E690252920,SHA256=FB2FD0EA372695DD03CF625A1EAA654539F13E89235D10FE1BE7D0DBD5A795BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611707Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:18.872{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50821-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611706Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:21.091{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7710FAD4BC2619E172C6A1F3BA62BC84,SHA256=0E28E9E128657B085A6D10E04BD76F5297942FE4B0951B65DC20E4EF2A96C99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611705Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:21.044{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8E1719248D4BA3F8DECC6A2F41F2B0,SHA256=DD13B5C4BABF3E64BAF6F5883F3CB1F5A791A844F3748748502C7E1963F022FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611704Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:21.044{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBD27835CE00F9C2C1443945EE29A25B,SHA256=27AD9395AE77289F928B996D67936605F8B72B3774102B4EBB192015882A8727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:22.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0221A266932D2E01F3D7ABA55F9D5621,SHA256=10A86EFF1C9C8215E8286E2F3CDA4249ED05C7D673F012D2D0CD666A1AE6E727,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:16.700{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58181-false10.0.1.12-8000- 23542300x8000000000000000667847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:22.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16109603500A51C24D64FA606F1254DE,SHA256=4B7F4A1F9AA5A3EFC51FE5AB25BCFC7A376934187DDDF1467AF8988D278FF283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611708Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:22.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793EE81398239383A15C6D415ACD9F3F,SHA256=1EE0F6227DB08E0D7E01284FF06551AB612AC28919CEE9A8FD36357E2981CC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:23.686{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=596D38FA996E70A4B2D5ACFF233AC8F7,SHA256=B4130A3C58ED3E463DFF8C275AB9F2861EDB51934E6D3F9E0209C7488958C80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:23.202{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6869CA5DB0D9ACB988842050DE55FA09,SHA256=339C50E4D7140453492297A110CFE4E7E434CBECD3BE96EB528EF80265245CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611709Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:23.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C83B91C1F1E6DEE20E197FE3B16785,SHA256=13B646E6F1A075B5F0A18B4A043BBA2125DD469C72A5BA0F51C5DFB66D499A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611710Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:24.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6BA487481D0DEA54E874B76F555642,SHA256=B612908ACB606D66835336FB064CB0C122CF86D95F6BAD755BFCEE49971F4EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:24.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671C89E610B9DF96FB32BBD177C26902,SHA256=25B2C84C033E150D7441BC5085E697F74046D959EED14FD32ADF2A007C2307D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:24.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23F2E03B08DA1AD58AA0A736BE93D19,SHA256=D9BE244DDE91F5ECFF342F5B1A001B3780F7664DE52D2F2CFF02255A6A0CE39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611711Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:25.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B40868B5F6C009E8A52AE3062181D0,SHA256=7D1D34CFFFEAC793EC38006BD5FAC646330156E9F4D674B4190ABD68DDBFC6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:25.249{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1457D37FEEA3DDCB0E16F3960D0CE731,SHA256=51C4D53DE0954B0F5D804F7469752B7DE79170E83C9AFD9AE02CD7AE684FB6AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611715Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:24.090{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50822-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611714Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:26.248{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81A72BB336286889A47D241B65D4913,SHA256=919A6E7BFFA40CEC2069FF3F9D97C1908D5DC8462F0B37D0A3B1DB6A719EF27E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611713Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:26.248{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8E1719248D4BA3F8DECC6A2F41F2B0,SHA256=DD13B5C4BABF3E64BAF6F5883F3CB1F5A791A844F3748748502C7E1963F022FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611712Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:26.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86F1BF575AB5CB2F931E6EB25C2E979,SHA256=A68ED8BB0484BABE5271456078F35B4C87A219B4D1F67659B599029D4629CC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:26.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A98C447BFE133D809DB75D46BD86004,SHA256=2C8D1BC9BCDCEED8C42949CF3E5782E9A98C071D47DDEB4B53D6A88F69031E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:26.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548BDD478222967BCD0D888A7A5028D7,SHA256=EACAD07152659A228C75F7AA7A82B6BB5E1B2045C90639E1366D7F49D9173529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:27.577{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7092AB8B3BA961BDAC0CCF51F429F4A,SHA256=0442B1B064B3EDE59474276B0FF98D95092F1435B382B197A6C70A33F9792B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:27.452{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3419C9120530A4C29B1311263F19160,SHA256=B1949A25D5AE079ACFC03936A16CEF0377A0510FBF8838D9A3FEF0D409D7A1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611716Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:27.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDE16E1CBED489EB4DCF90998E00759,SHA256=3B870909949E21CBE4A9EC0AF550C2A8B92201CC2C0CB4B6F7BFCC0488772341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:22.616{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58182-false10.0.1.12-8000- 23542300x8000000000000000667861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:28.640{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FDAFED2B0FC702B0377993864F854B9,SHA256=AB4DC79B40807C0417A767AE4C2FDD67601693206E6AD2DD4570B49C091194B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:28.468{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7419B7EE47BFE35CF94743BB4FD0048,SHA256=A4F0988077485299588592E25FF0F4767EA1396D73F40AE23F35B4FE22B66133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611717Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:28.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF2B46698E3056E9B936A05EFA26D0B,SHA256=39C9BB5C4444A7552ACD8ADBE248D1C08DCDD27DF7557D0282BB6E3D76227DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:29.765{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B1A4FDCD1961034AD589CEABAAE293A,SHA256=09429B8C4CB8E861AAC6E72826F22B7F7758E0CAF70B573F61E661538AAD2B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:29.483{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202B9D064ABAEC5BBFF9C0AA4F3CDC08,SHA256=2445DFE12116BBA89E43D1FBEF123550B7E9509113C8F4F06EB53CF36F7BF54F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000611738Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.138{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000611737Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.123{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611736Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.123{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611735Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.123{97C2ED32-7730-60B6-1600-00000000C501}12041340C:\Windows\system32\svchost.exe{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611734Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.123{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611733Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.107{97C2ED32-7730-60B6-1600-00000000C501}12041340C:\Windows\system32\svchost.exe{97C2ED32-F289-60B8-0A5B-00000000C501}712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611732Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.107{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F289-60B8-0A5B-00000000C501}712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611731Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.107{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611730Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.107{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611729Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.107{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000611728Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780DED733CD1C9744B779476D8906870,SHA256=17B0B0C46B3A3910663771D120C628A850028A71CD63C7325977A1A28046C463,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611727Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.107{97C2ED32-F289-60B8-0A5B-00000000C501}7125788C:\Windows\system32\conhost.exe{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611726Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.091{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-F289-60B8-0A5B-00000000C501}712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611725Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.091{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611724Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.091{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611723Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.091{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611722Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.091{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611721Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.091{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611720Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.091{97C2ED32-9D3E-60B6-7A08-00000000C501}33643180C:\Windows\system32\ServerManager.exe{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000611719Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.090{97C2ED32-F289-60B8-095B-00000000C501}736C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000611718Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:29.044{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=DEBC2BEA8A595BB3B7970931A40DCF17,SHA256=65B21CD787811C8E724289E04CE12575087B58B1A69974BDDDD0D72DDEA19C41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611755Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:27.987{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50823-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000611754Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:27.987{97C2ED32-F289-60B8-095B-00000000C501}736<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50823-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 10341000x8000000000000000611753Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611752Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611751Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611750Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611749Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611748Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611747Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611746Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611745Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.138{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000611744Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.123{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D098C460BEF1BFFED0108A69DA4F6F50,SHA256=CBA44A1FC957DB1CD9762E9C69753D4D7A393AE5DB57BF452DE0C01E1F5AD150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:30.906{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E4E2ABBA28737905B120AEC22F88954,SHA256=E7285E21C1F4E994A0C8093BAFBEF4D56B6E6533DCB1E5E648C16F197ACC111F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:30.499{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5182C11FA1716CD4429C0911A77BC0,SHA256=659768AE6FCA93342BC8CCAAFD2B980DD785B8E76E47040781AFD2A25A61410D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611743Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81A72BB336286889A47D241B65D4913,SHA256=919A6E7BFFA40CEC2069FF3F9D97C1908D5DC8462F0B37D0A3B1DB6A719EF27E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611742Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0B0E0D8876F3EE0BB5B75B43369EF5C3,SHA256=72529FE30CB4087503DB7624639798CA1F6DF88B04FFEE77C5752AB0EF04A905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611741Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0FA2F0F5C6E25C1C20A09AC22458207C,SHA256=1982C634FD2E24096A5E40C556068A9266B2FF577D84E9F1AC5BCD085C622025,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611740Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.076{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611739Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.076{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-1200-00000000C501}1016C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000667866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:31.515{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7963BE1A6A37C87636C1DE647B135C9,SHA256=457D5A5F6FB663143B9EBC537A4FA0FCE30C6DAF7E84071391E401B1F442EA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611756Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:31.154{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A606F3F0E1F1E5B05DA06B0BE5D78E,SHA256=F4FD4E8F8F78FC379B32C45EBF97F36FC9DC98899587DFA5372958DFBDD9C6DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:27.725{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58183-false10.0.1.12-8000- 23542300x8000000000000000667869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:32.562{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43507E8001F15AFF657ADBE5B866B92,SHA256=0CE3286F3C2BB4E8DE3F32CB47BEA421946A057F4A7E7A8DE42FF0C98E9EC6A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611774Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611773Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611772Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611771Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611770Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611769Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611768Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611767Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611766Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611765Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611764Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611763Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611762Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611761Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611760Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000611759Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:30.075{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50824-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611758Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.232{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4F0A4EBF06EDFC0BC898444050E0F17,SHA256=FF7B8E3EB4CAD0A4D7DFBE3C8C1687EAD11A1174FD5ABDEB2C00917703D20B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611757Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.154{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE73A1F4CD866E41832B5406EBE1472,SHA256=52C337784C61FBA72866A6B1BC127E7FEF6856D6B6F342BEFA08F4BCB632DEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:32.218{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0FD5EBFDBA3F68900610CE9B3D744410,SHA256=F1418ADCBC901DC588503F9D7040EF394ACD3FC8DE081D1743B0042DC59A800B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:32.093{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37BEE9D733321FFC5B6CF168B99DDC14,SHA256=776E5F200C01DE033756F0A55AB731FFDFC078BFF84013E71A6239A22B790D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611787Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:33.404{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C512ED61E42F3D3843959DEA432D702F,SHA256=F0DDCE8DD53A70631DE47E8EF019A8DBD794358CCF434FB8F4DE2E8B95C52AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:33.577{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A392C43439644624C70976E6372C30,SHA256=C4036629CCF2FA07FE37987683FD7EBF0A0720668BF7FAB44CD188F75F0AB0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:33.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AA7B5CB9A72791F89D1163E194DAABE,SHA256=609BC806748E52AF9FF1C2201B2739EDF5238E2B492AF7D79F1466CE68F63903,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611786Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611785Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611784Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611783Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611782Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611781Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611780Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611779Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611778Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611777Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611776Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611775Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:32.997{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000667874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:34.812{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F8C38AB8D877A7570F6ABE53B479DE,SHA256=C4F81FC1A657FBB961AA38A9D0C4A292AACD50BB7DE3DC9F640DEEB0FA0C21B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:34.593{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEE761984F44AB35C6D9BF418E1AAE1,SHA256=6B0BD961733B27B890ABE0E151687B95FEA6E0C530DC258848DF609BE672E73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611788Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:34.638{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23195FA12872C316297E9C72E2069BC5,SHA256=2A2B6AF5F63F94594C99CE37794BA6FF4630F8EA719B5CD0136339EAD033CA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:35.890{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35D33B7B6E5E6042F856334EBDBFE593,SHA256=56002117DE8B7F7F6CB4FEC93B455DD0F1F818C2BC60428F902AACB60AB8C909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:35.608{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A11F565AEA61EBEA35526C9AE762B8B,SHA256=4E2567F2D8AC7D004281B3F3EFEB59ABD250E29055C4E7F15C7D6CBCF63B2705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611789Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:35.654{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113B169E9D02D41BC9C012D4C76265C7,SHA256=6212C53B5ACA6D0BE6F6AA9811EFA6993D0261B47CFA2B8534C5B409A8C5E7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611790Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:36.669{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02549559782DFF5CE7909E0F15E06F6D,SHA256=3B46FC20A43B984AD85889A87AB07196C853BA40FD626A6759E3B9105172C996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:36.655{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A111B8BD3B16B2800506206069AF12,SHA256=1577A9759E7067826C4817D1E35E86346F7E7D41C23DEBC09A90FCAB0C2CC4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611791Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:37.669{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725FD9EEE4452A5FCBF5F44807E4A1AE,SHA256=7D65CC6A0698D1810579B8A0A5616D29578BF1B53B9E1E8198C2439108B4B34A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:33.569{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58184-false10.0.1.12-8000- 23542300x8000000000000000667879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:37.671{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387C4A85BDF3113EC335C9F266850D32,SHA256=E859AB88D96F6612A0361080E5303DF9E2D5FBBA694D7A08136EBC9391655288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:37.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCBFD8DF05D8CB14D05204F0E5C05C31,SHA256=0EB6417108ABC40F693B883900A83D68C4E87819B0F744CDA4CC3A8FC8576E18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611795Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:36.106{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50825-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611794Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:38.685{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7857A2218AAC15AE1E0DD1CFB0FBDBC3,SHA256=1DA2DC8221162D24B728A8ABA0DDBD7EDAD6E02C20CFCB3CBDC49F74B345AC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:38.718{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC2A2817DF46258D282B37D5560BA30,SHA256=ABE917927FE1E1A26F7FD0E00ED0942D29D33F4276A392DDCC7EFD1FF32B5AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611793Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:38.263{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A976F0A0015EF9A896A1F2EC8946AC33,SHA256=E4BF7D675E22ECF90D6A193F92A4032737641D8854B1F0B014A5933E40424E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611792Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:38.263{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C4D81389E2C61B2D6A5C7CFB81A6DF,SHA256=652F1CEBE812BB61039E4D5AB802008EE8308A5158867F460AD80E83D2D3F534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:38.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BB71843B1E2C8D36493DDACA5EEB6FC,SHA256=9FBB0A591D81A163F1A969FB0BEFF6BAA71B494D82BC9331D4179FBD8619B45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611796Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:39.690{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455C93E13ECD57C46D8439476C70EDF3,SHA256=E4F3AD707AE3B2F585A22AA11A3EEAD12F67EF94AD30E6538F9EA6F4B50A50DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:39.723{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF4D67CA51DCE4C38FBB15723EBED15,SHA256=747138F30773DD3C30BAFD993072A1303E27B65597726AEB99A390A8CDF3DEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:39.426{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF4B0916DFF69B3E8534A5CBB9D4A6E8,SHA256=F1B326F59A74FF94C85197A5EB19E57406B9D4446288D157201E7E72E2C96C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:40.941{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0571BAED969D61370DD8791CC7E35325,SHA256=0C67C72F6EB7AD7B6A69DD32F7897ADDA3B23ACFDCC380DBEBC7542EEB2D4AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:40.723{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7865E2D8D2424C3C4C40FD0A1367CA3,SHA256=28AF6A3AF91FD3AEC32FF48492009A53ACFA32067C380711B75BE288CE049BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611797Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:40.705{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9CAA71EE5BF6D5C5D5BD4A01658BE5,SHA256=BDDCD6D31A61874A8D3D906E9FEE026617AA194513F62D6D48BAFEE1F1BFDAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611798Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:41.737{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123DE4FF347193175010AEB76D539066,SHA256=2186962274CC84D6EA3640A1CAC375CF43D202E7087435E4EC73C3580735135D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:41.769{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8393491502E0714FC34C215858FA0E71,SHA256=F001BB2AA606A6D34038BC1088CAC3D83AF6B14B92C42A2C1A1B205F0837E395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611799Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:42.752{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D3BE6BF79BA5504080E4ED644E5412,SHA256=96BE8B556B8C70DC7CBAD1AACD5CB1EC8ADF46D47114122CAE79B3F8FECA9C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:42.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93DDB43089A1E3BA962183AF29FBF10,SHA256=EA610CA5027A2C62DDF293D33E51D52014F4EE8624D80C5BE54381D49497E5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:42.082{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA3A6D7A7A34343A124B1D0E5F1168AE,SHA256=A6F539D430346779A8157A4624EDE4D11D24CE71AA247CF42638B77E5491CCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:43.801{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE44B2E3DD21FA9E5D6DFEE88166331,SHA256=14402AE62E29F4D3D9A5B299F3FB8D526731B842D00649FA9FD1B415E1AA4339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611800Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:43.768{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83835FE226F1123C6445C1BA029A74BC,SHA256=1C4378435BF780B93C42219EEC82D45A06565500BD903559B12294CC0192498A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:39.558{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58185-false10.0.1.12-8000- 23542300x8000000000000000667890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:43.301{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA7221AFFF48B1F06A0F02AED6D43159,SHA256=17F382C665712B3EF75FEB45EB77BFC172D2A14A649EC1117D2D16063DEB656B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:44.848{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4BC8EEA84457BF1057CB5B9AEA9547,SHA256=08F6C88BF60A72D3849C4A06EE834CE285ADFC90A48B9B7EF98A12147D8E3FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611803Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:44.799{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E9E6E2EF5EF1BE900E3C2A263B1114,SHA256=C3F6FD0F37A93BE87C09A4BEC47CB29BC4E7675F1DD7A9A0C086417ECFFA4D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:44.519{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=533FE46686A6287ACCE1DD58CC3CA31C,SHA256=6ED881291DE2FD5A10A5B69EDBBDC95EBB48439B09DF5F6399EB3E0B099B6319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611802Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:44.205{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1BA35F582B92243FFBC890C41B5A508,SHA256=7855915AB6525D0322BC35C0F43061B2067DF25786E6E6987FE94F6C10E761FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611801Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:44.205{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A976F0A0015EF9A896A1F2EC8946AC33,SHA256=E4BF7D675E22ECF90D6A193F92A4032737641D8854B1F0B014A5933E40424E0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611805Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:42.033{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50826-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611804Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:45.846{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D510844D44EBE2871E555B14C8152463,SHA256=D7087BF73671987DD55763461FC3DEFB07CDA5B43B05800A626693BD9FA98443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:45.988{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F38D24CD404B05E530DCCB3F8B9104E9,SHA256=63F9CDC748DE3B09111BEB53AF12CF59E89368262E7EF91D10E86E3690AC002B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611806Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:46.861{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846F8C6D68266BA32D200EDB0BCAB0F8,SHA256=262FEFB8163BB91348CF87C74F09E8A044095B8561B6EBB5089CCC1CEB5EC68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:46.082{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79703A8D35A0DD07A3E139A46B8975A0,SHA256=26B3FF4A137A542E380A7A86B40FACE5122263669AD237E2ECF536AE57B34BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611807Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:47.877{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA37F8185DBD4EEC6296CDA9703C50A1,SHA256=F94C97F5AB54FF0B305F352CCB604D0012F4C6D7046C0A20D61D5D69A0F2F3D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:47.144{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA819E15FD9EC699A88E1D51D7F751F0,SHA256=BB80B8B86A6B0EF368CE3F4A1D162DBEE4D635075C670544F87A0B98829E36B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:47.098{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51256C8BCB9E6D9FBCABEF114787B353,SHA256=D9D1F3260E0352BE5469D82ECAC18F8815763D1E1AF201464700635AE74C0F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611816Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.877{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43AE082145245ACD6120B48A9BE7F2BC,SHA256=E9C6EA75C6B4BDCACBFD776EAB1D25B195016CC1BB1BF56D1ED07D7B708A8D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:48.254{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF48ABA299EDE33F616BF2F3EB9FC90D,SHA256=41F723B76F80C627804113CFE31CA88B9EBD7D9F9BD2C080F0D6F3DBCABD644B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:48.160{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879AE68F058606E6EB853EE1EC536772,SHA256=925E8D76BCE4E2E4A5A563E560B28564F87EC69C491B6976E0E0171EC094023D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611815Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.674{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F29C-60B8-0B5B-00000000C501}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611814Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.674{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611813Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.674{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611812Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.674{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611811Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.674{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611810Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.674{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F29C-60B8-0B5B-00000000C501}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611809Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.674{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F29C-60B8-0B5B-00000000C501}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611808Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.675{97C2ED32-F29C-60B8-0B5B-00000000C501}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000611836Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.971{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F29D-60B8-0D5B-00000000C501}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611835Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.971{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611834Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.971{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611833Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.971{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611832Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.971{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611831Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.971{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F29D-60B8-0D5B-00000000C501}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611830Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.971{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F29D-60B8-0D5B-00000000C501}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611829Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.972{97C2ED32-F29D-60B8-0D5B-00000000C501}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000611828Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.924{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8F1EA9880805162A23085D1E7F4E38,SHA256=024460F64151426DE042D809E2232D8846E58441A9CD2F6F704F827973C844C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:49.410{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD7186E45B140BC3B96A3F33233B0D0,SHA256=6CDA18BD50524B16A4962C1D724A96D550B77FA40DAD3F6C76475733D675F624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:49.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A13107109F81C6C13E1E7988C6C121,SHA256=B7512C7DB583C7EA318435C7A054CF2C0BEA2F69368239B74ECAC9524374D152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611827Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.674{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3286F82CA2382BE6E948BD0BE675D65,SHA256=781E006F29D9872195AB723DDD39FC1D4767BCF5DE5A70D387DFEDE4FF7DDE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611826Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.674{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1BA35F582B92243FFBC890C41B5A508,SHA256=7855915AB6525D0322BC35C0F43061B2067DF25786E6E6987FE94F6C10E761FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611825Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.487{97C2ED32-F29D-60B8-0C5B-00000000C501}59603864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611824Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.346{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F29D-60B8-0C5B-00000000C501}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611823Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.346{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611822Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.346{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611821Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.346{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611820Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.346{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611819Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.346{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F29D-60B8-0C5B-00000000C501}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611818Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.346{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F29D-60B8-0C5B-00000000C501}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611817Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:49.347{97C2ED32-F29D-60B8-0C5B-00000000C501}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000611846Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.971{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3286F82CA2382BE6E948BD0BE675D65,SHA256=781E006F29D9872195AB723DDD39FC1D4767BCF5DE5A70D387DFEDE4FF7DDE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611845Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.940{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BDBDC50BDD8F774DFCE43BD0FE3CD5,SHA256=115CBB8D3B034A530D678F731DFE8CD67A763A9E252BFD93909DCED3CEE1E365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:50.598{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3727E6A279639EBEFC33ED234AF07D3,SHA256=E182D7CE5F7F9C79E4B92063047DCB2B2C1FC94B84F07F2B0B7924C34D7CAFD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:45.589{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58186-false10.0.1.12-8000- 23542300x8000000000000000667903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:50.191{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28273F8FE8927382F47F92F5E40B6E5,SHA256=66C52347D980B45135AFEC4CC83C1DDD42E532CD851ABF15AD96693624705909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611844Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.643{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F29E-60B8-0E5B-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611843Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.643{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611842Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.643{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611841Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.643{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611840Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.643{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611839Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.643{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F29E-60B8-0E5B-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611838Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.643{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F29E-60B8-0E5B-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611837Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:50.644{97C2ED32-F29E-60B8-0E5B-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000611864Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.986{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611863Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.986{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611862Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.986{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611861Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.986{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611860Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.986{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F29F-60B8-105B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611859Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.986{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F29F-60B8-105B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611858Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.987{97C2ED32-F29F-60B8-105B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000611857Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE5C3F86F4CAC93E009977021D78D5A,SHA256=7A7DEDEE88F820556AF7E46A73D28B49E9DC1D1664341DD24ABC254A9C031BCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611856Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.455{97C2ED32-F29F-60B8-0F5B-00000000C501}51123788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611855Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.315{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F29F-60B8-0F5B-00000000C501}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611854Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.315{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611853Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.315{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611852Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.315{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611851Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.315{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611850Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.315{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F29F-60B8-0F5B-00000000C501}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611849Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.315{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F29F-60B8-0F5B-00000000C501}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611848Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.315{97C2ED32-F29F-60B8-0F5B-00000000C501}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000611847Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:48.001{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50827-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000667907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:51.676{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=985123C77DFD354220F7949DC271424A,SHA256=F9EEB087695C9508C8E86D3DA40E906E5EF3D4FCD73EF0B89ADF0BC4A3020DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:51.207{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9F616DD229248B9713C5697E373A55,SHA256=AEAEE944DAF44F1AA6415CDAF9C103638014DC6ECB34CE8C990198713618001C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611877Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CE07B2B5A6A24D3C8607B000DBB394,SHA256=D7421683A0CFBB978D6E5E2E0102DA9780A45423AE62EFB0CB0C726DD38E1970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:52.941{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EA53286701D021B4ABB50D64B1D1A5C,SHA256=0D0F2DDB8BAA06AFBCE00E7C056EE16D6F70B915B0119BD29491E713EB98743D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:52.223{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0A321A5B8BB9AADFBADF99086CD825,SHA256=27EAE381DB531A20130DDB6589EF9054BCB8753BC72B3255C026C3398306A662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611876Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.799{97C2ED32-F2A0-60B8-115B-00000000C501}13964476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611875Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.658{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F2A0-60B8-115B-00000000C501}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611874Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.658{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611873Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.658{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611872Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.658{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611871Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.658{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611870Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.658{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F2A0-60B8-115B-00000000C501}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611869Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.658{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F2A0-60B8-115B-00000000C501}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611868Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.659{97C2ED32-F2A0-60B8-115B-00000000C501}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000611867Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.330{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16A44E0657CCE6816D7AFC4B683E4B7B,SHA256=9A6612EA5EAD5FF8685FE5500586D6D6130F86EF3D332B2B402FAB32445D7754,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611866Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:52.127{97C2ED32-F29F-60B8-105B-00000000C501}49366016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611865Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:51.986{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F29F-60B8-105B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000667910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:53.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F2EA1EF4D4277AC2294D1263627A1D,SHA256=DAC91082D5670DF3BE2F0C047B7895749968CC1B51360DE934263AF7DF6750B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611878Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:53.659{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDB4F4D6850EACDC4533CC66B1EE0D88,SHA256=70ED97494FB606FB2897FC3460417670766060C9A4C56AD085F9DEF3C9FBC198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:54.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=450CB618E1B0BA3747A5924BD76301BC,SHA256=0C246AF3391458CF1216174A518DA3F696EC5D186E580B5CB67519ADAACC0EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:54.254{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D7367C5CC947C86A9C033D415211B1,SHA256=EFBE60675EDE70F04B4BB771817151B05132FD155CF89099EB6DE06AC35A9A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611879Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:54.002{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294CCC9B5A490491D89AB65AB0E14AB1,SHA256=EB175E6E5F7131EF5CB41B465F3F8EAD4D179E036800A23907D80AF919FFE524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611881Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:55.252{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7991CEC8B5A7B1D4465B55809D32152E,SHA256=9F808D54BEE31F8837244920DEF39DB5B29E0B0A986F006EB2B9FA68C3431F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611880Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:55.033{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82340A2BB840C19AC72C05C71837387,SHA256=93466B3DD06CB8459C0A29D55EF9D09A1C081B542F76C577293DE5AD22DC5DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:55.520{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4868A4FF17F6BA7D2840F0CB4CCD8D5,SHA256=EE463622944B4D0C10C7DFD0D8DA429D94F2528B8B8B44A5AA8A1B4CB4DAFD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:55.254{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E7259E3F132ADA2F43BC2E79166FD7,SHA256=0C5C3D3276CF9B544F06DEA6939975F27F7395F62C9ADC72A749CD4B6E26639A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:51.573{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58187-false10.0.1.12-8000- 354300x8000000000000000611883Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:53.080{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50828-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611882Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:56.080{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAAA1E8193DB7AA830AC0AD10B3D40E,SHA256=FAE411F68BC8F23D1E4682BD29DBC583609469F5891F55C07575565325EBC129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:56.738{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E6B93F3A2E5299EA43FC0B484F62FB,SHA256=F0119CD81968E7F3418869159ED85FBA5EF62694A2C5EFCF30B7B0A365E34F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:56.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6073EB82431A7D1E5EAEC355F9F5EFC,SHA256=4367C3C8B50FE676070599ED5040782DDF02D941812D904FA83C9FC6491CD506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:57.285{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C15277F2759773593C6D4692E43F3E,SHA256=805EFFC5BF4DCEB11514C8C9FD300A0CA04FB84BF6A7923C6F43CD0BB0E95561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611884Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:57.082{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23665571B79CF03B1B1AE23D0CEC3CB,SHA256=C86A1830BE195662E64E3E04036AA48CADB8FE2746F94A9070A3BC93B86A52BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:58.301{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9374D6DF805AF597506BC83B394D867D,SHA256=C5C99CE3F2309BFA459BF7AECB0C851C226A6BB0002CBFE437E020CD047F20FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611885Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:58.094{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E84E4CFAA83F2A2D0425A85636E3FA9,SHA256=5B99F6DC80B09766AF67D2142669F49BC7E5C3E1C8D56958003D0E236D5376BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:58.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52AD51F8FEBA956C2CE2AD98F104D6C1,SHA256=E1D466515F261D3180D6C1F44565D753849B9A12D1FE9E246BBA62C12BD29DBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:55.638{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58188-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000667923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:55.638{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58188-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000667922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:59.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1EA5B7EF40BC9C76DCAF0F9E68CC66,SHA256=7F66200EB06BF01197D50E00489F241A4BCE62FBF23E0620DC62F6067F204DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611887Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:59.177{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611886Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:59.130{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDC599ED024F0E9D0F1CE5238CE6967,SHA256=2C490BB2FBEA623DACBC3ABD89916A74D0D88C73A902B6DB5FE75A33CB7F553B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:59.191{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5650BABB46A8B428A1622D55204F2A2B,SHA256=0781E7DEBAEADEB973515771B41465A4862F750DC8096E2588343C9425DECDB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:00.416{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA5DF7F8EE761EDC9723DD789845A53,SHA256=BC1A00CD731209842D04D78F927DB8E3A6C7F2F47695981D2D4297E43DBE1226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:00.400{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6D1191BFE2BA518116DE94EF04AC0B,SHA256=B1E0F2DD49CD97AFB8638C9455BC5E30C678814429EFB77E09F664A1478F9612,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611890Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:58.004{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50829-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000611889Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:00.163{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25C9ABA281E9F44AE46960FF13B3B3CE,SHA256=C1052E0070E4783B4B57002FB55895600592AC03186BE0257736CDFC57354296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611888Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:00.163{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D7E205C24F246188E9AE2D39AEB9DA,SHA256=93DC9C4FBDA7C24745E40ACD75B231AF0C87691387930A63A8D22B99374CAD40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:01.715{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F964EE9C2D5FFB9B21AD256C80A53F5F,SHA256=73B69FE184AC309B159D5E4CD44BCC9E99DE17029A734E463D11B7A17A26DB48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:57.564{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58189-false10.0.1.12-8000- 23542300x8000000000000000667927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:01.413{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D212FCB5B97E835CE6D648C0E45FD06,SHA256=55DDA1BAFA25C2BC73318BFECD72B7CD9FAEDBB6441E239E5A803660BE1E59C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611892Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:17:58.082{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50830-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611891Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:01.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C4C6FD5006FAC06EF2A239AA3178BB,SHA256=43E7853C0AC65EE19BA0829C54AAEB0AD73549B871201A1B553193F96F67BF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:02.855{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65033B57B8C1008FB9194DA08F600B92,SHA256=9AFEB8B3E633D7F9AA0AC52E1D9794A86F58CE12837238F3563153CE5C5FC629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:02.418{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EC83F7CAB48D05F183E96C09CC1C38,SHA256=E571C2D7DC62CA376152F2C4DF17F8E16A3A241123446DD139A1D2524401A055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611894Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:02.413{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=83209C0BC694987D4EC9B7F3A809DCA7,SHA256=E3DF52B5A704B82375E3007F52DA8FE79A477242D92567F9E14E489C2E238B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611893Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:02.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624BBC2D9655A5F607F79180173A1277,SHA256=20373B363F86BE15EEC475396F98DEAED542B5E1B44D1F5CCFA80B182EE30057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:02.168{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:17:59.613{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58190-false10.0.1.12-8089- 23542300x8000000000000000667933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:03.512{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D7673385090C16681F635F6F45AD3D,SHA256=DA65D935E11E7E5D1F1DE192C58C1621D3F965D9D7F06E8DE8EA803DC96F3E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611895Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:03.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E87583333217C02950D50FB0D48986E,SHA256=0360422B3A6F052AE4A731FDD56774900D6EE4C496D35F5749E957F3EB50A4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:04.527{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD3C4D93E94643E4BC0FD8E9C4AC850,SHA256=B9A9A2D6CFA10BC372523376223B00E4AF5272E20D3D4A2EA67735FF4124E02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611896Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:04.210{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9E450093D9F98F56D0AF1F4E1DD664,SHA256=ED4155B33D8077431569802E791677F06E9808FAB6236BF7C7FC7C26E2E6F03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:04.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D5D96FDA37E452E446B67C07635CA95,SHA256=B84322018A066F06960531EE3E261272C8DED9793E635A6409DA4DEAD0E5716F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:05.574{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6399DF5A08069534DFD072DC845E92CA,SHA256=60C4BBF75BD4FAC4310120AD6969496DE87CCF53A5AD92B54010D2CCC490AEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611897Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:05.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB7F799DE1E2BEC708277A987C347EB,SHA256=206553975C36D6ABB373D21831CDB0F21A4AD55EE25FAFFE3074B449AD2BBFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:05.355{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC26FC102A4C30C3BDCE6D00E9E3A09,SHA256=5EE77B0A64151E60D3239FB2945C9E8D73697C981F70FC8CA95B95D92A9DFCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:06.715{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D425F026D29F85356FA04B42D825AC,SHA256=B1A4273A3C2653969BD22DECE3BFC74CBDC84C3C5F5DD077B3335E8E0B44CBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:02.425{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58191-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000667940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:02.425{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58191-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000667939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:06.590{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A1ED1C805DCBA2CB8D5D17130DF7B5,SHA256=92D2F888133BC5B6996211A4B0694606945BDF4922B6F946678650E93CEA3D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611900Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:06.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3AD0129A641722577F602AF3B19ACF9,SHA256=7507707ADAFE2FD0B26FD8ED320DEDE80EF9241C4C89B3F721C72F5A611B8268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611899Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:06.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E6B36CA7AA13F03D8F11418F6D12ADB,SHA256=6F815F9ED005D5B29B1426B1F2364AED13B80C09F43D26A7957C8130C689685B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611898Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:06.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02E8BDE778254B6150A78632C01B18F,SHA256=3F0F314A28292CBF082549899BE299BDBF0542FE5443283942AEFC50A65087AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:07.856{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9418681B5F11B41BD9EFCAA1FA94A8C1,SHA256=FBCD06421D4FA874E7840B6D87113B8F4631683F9CB78CADE8438050671B0F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:03.581{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58192-false10.0.1.12-8000- 23542300x8000000000000000667943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:07.605{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB849C381EF31EE50EA7543BCBC07F07,SHA256=C501BA2CA18E80CF8BCFA76E2599CBEB357D9A641454ADE67AFAB2714FBC0BEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611902Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:04.022{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50831-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611901Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:07.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536B24D80CE769A478CAAA345966B195,SHA256=235DA8048E8A5B4113D124EEE4D79CDB367776297A14CB986F5B24B18EE67255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:08.637{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C461A30B969D8472C1643702372DA95F,SHA256=D0FA5C5BA9474E5FE03AFB010AA12E151D64CB69AA24A9037E0ADCF1673E4D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611903Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:08.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0298A85D19544F73EB11F8A0319118E8,SHA256=59DF49132F62A6E336D8012FB11CC4324E49C6DC35E728B4B213555ACD93068C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:09.684{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C284D0D4C3821C3AC2B2309B07ADBAF,SHA256=BD59767D67F74901E0C353160771BBB1559F0923A886B1884D0D383021A172B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611904Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:09.257{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FAC257604C6DF1066F28362C8AFDF3,SHA256=76C3AE3101768B24C5B0F83549F6D7F4C84B486CB1B9E4B2A65D68D7EF6D3A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:08.996{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EAD5CE82879FAEB31CE00E6DB64732A,SHA256=E676BB54AB70947DBD7757C22D2F5E92653AF236AC32800111F4CED14DDE789F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:10.902{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0510FD307DFB2BE89025C9E1FCBBDF2,SHA256=E1AF2886CC89D6F312E83436426B9E403D58687EFD2C79E60378A9D3A2767607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611905Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:10.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1025E9F988E6ECBDADF0348241ED422,SHA256=035150B50028F2ACA6B5076DC2B71E444215CB057513843F86A358C95A444481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:10.762{D419E45B-7530-60B6-1600-00000000C401}12686884C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:10.762{D419E45B-7530-60B6-1600-00000000C401}12686884C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:10.699{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000667949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:10.137{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7218FC4A3E69E69A0DDD495C527E5509,SHA256=AC20255645E8325FB6BA6BB1887373F868873DCC73841581718D577FE38ED814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:11.981{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9003E4BF0E13523379E24A6BB5BF1DD,SHA256=EA6FB1DA13A1E4B82B9FB6DE60903F2B6AB6AE8A1C7DE8BB6409651C097556D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611906Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:11.304{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4153D9A2EED0527739DF89FBD57CDB09,SHA256=421D2B971326C4510B488FDDF664A0C4DCA2ED4ED36B83451624EFAFC7C16CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:11.512{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=874F7734017C05A08989A9DF179DC9E1,SHA256=02F425FEBDDAADD095034CC9E01E9CCAF4498BB3399D12F9CC6F32B91E9439C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611910Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:09.960{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50832-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611909Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:12.335{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=943AAA6A86312476606B2C4E9A93A7F3,SHA256=275F7ADE057537D95AF810A10B46A6DD4520E2F5B01E5D9F32DF62E8C846C5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611908Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:12.335{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3AD0129A641722577F602AF3B19ACF9,SHA256=7507707ADAFE2FD0B26FD8ED320DEDE80EF9241C4C89B3F721C72F5A611B8268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611907Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:12.304{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB1ED973F7EE543A3602FF4EF621126,SHA256=6B006D3AEDF78DD7D100F89363DFA00A92BFC31A394761791D73F2425ABED9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:12.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F2F1FD29564E25EA1A0E78EEC2352C,SHA256=5D8B6119CC1E198DC298EB08EE2B423D7DB88FE57F7E4C6B7E090635B7B52B06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000667957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:08.160{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58193-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000667956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:08.160{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58193-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000611911Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:13.304{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A70BBB36C1818636EF8A16FAFC1A8F,SHA256=7D42A4ABE60AC9DA4A6FAFD03F8A0CFEA89165165F579FD17D8ECF8DE8775AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:13.902{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EB6913C226B57A3B69E7CD8FCB865D4,SHA256=E1BBDBBC441A9032F7B0101D5FF3A0891C1F7DE29B9A55E1DE6DCBE3E5EAC542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:13.012{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEC935387CD7F905E8F975BFBAE0C07,SHA256=353093D277DAB6A540719501B9C289EB095DF4C6DA53A3286D3D6E0239B6EEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611912Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:14.335{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8065E2DA63CA8A9EA551FC229174799B,SHA256=A7C027DA4B63058F08462B12B490E73C15D5B29EF693E845B11FEF621E36151E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.980{D419E45B-F2B6-60B8-DD50-00000000C401}52881920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.824{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2B6-60B8-DD50-00000000C401}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.809{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.809{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.809{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.809{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.809{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F2B6-60B8-DD50-00000000C401}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.809{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2B6-60B8-DD50-00000000C401}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.810{D419E45B-F2B6-60B8-DD50-00000000C401}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000667971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.387{D419E45B-F2B6-60B8-DC50-00000000C401}48524996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000667970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:09.581{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58194-false10.0.1.12-8000- 10341000x8000000000000000667969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.137{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2B6-60B8-DC50-00000000C401}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.137{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.137{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.137{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.137{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.137{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F2B6-60B8-DC50-00000000C401}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.137{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2B6-60B8-DC50-00000000C401}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.122{D419E45B-F2B6-60B8-DC50-00000000C401}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000667961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.027{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B15F9632A6FE661CB8F972E6F61EE7,SHA256=9A2BC81FE204D4B27C8D2E7ADAC9AA280CDE4578557B39F15C8D66F6726EB9AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611913Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:15.335{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E217A950EC37187D080FDE1442AE78FB,SHA256=76D88E410E83282DB9710B4DAC34D6673167142162D4DB7A08BE43FF3FC90B57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000667998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.887{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2B7-60B8-DF50-00000000C401}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.887{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.887{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.887{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.887{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.887{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F2B7-60B8-DF50-00000000C401}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.887{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2B7-60B8-DF50-00000000C401}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.872{D419E45B-F2B7-60B8-DF50-00000000C401}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000667990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.387{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2B7-60B8-DE50-00000000C401}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.371{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.371{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.371{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.371{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.371{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F2B7-60B8-DE50-00000000C401}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000667984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.371{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2B7-60B8-DE50-00000000C401}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000667983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.374{D419E45B-F2B7-60B8-DE50-00000000C401}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000667982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.371{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E670ABD452ECBE50A84EDF0262F1033,SHA256=06D08F8CB05591224BAE2B5E8774F97745A1554445170178B90A58E7E59BBAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000667981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:15.027{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28387BFA01AF33A71E012FB4AB0D0A8,SHA256=A67BFD3A86AB5508AAA7D3DF779F7FDC161531A0E2831AB55CF30B7F33F094A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611914Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:16.366{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51ADD2066F7F71E5458F7C56B25E10B,SHA256=72D8FDA346817D753233FAB1EDB142FF8C494B973117F89209E14CA7AB3B2998,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.684{D419E45B-F2B8-60B8-E050-00000000C401}44643416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.527{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=473E78F7E4DFBA42FC004139B2F01C20,SHA256=39D2511DB94FF107B8BB88A2BE8163B29DFDECA2C88162DA8C49BD07099E8129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.527{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2B8-60B8-E050-00000000C401}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000668017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000668016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09ba6d9f) 13241300x8000000000000000668015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75883-0x4b5baeb6) 13241300x8000000000000000668014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588b-0xad2016b6) 13241300x8000000000000000668013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75894-0x0ee47eb6) 13241300x8000000000000000668012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000668011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09ba6d9f) 13241300x8000000000000000668010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75883-0x4b5baeb6) 13241300x8000000000000000668009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588b-0xad2016b6) 13241300x8000000000000000668008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:18:16.527{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75894-0x0ee47eb6) 10341000x8000000000000000668007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.512{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.512{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.512{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.512{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F2B8-60B8-E050-00000000C401}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.512{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.512{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2B8-60B8-E050-00000000C401}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.514{D419E45B-F2B8-60B8-E050-00000000C401}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000668000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.059{D419E45B-F2B7-60B8-DF50-00000000C401}23926580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000667999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:16.043{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525212EF1DE3F004A0677C12871C6659,SHA256=426E7BB192CED43D6395857EA6F35F92A8EB9A04EEF565CECE2D8789053CB882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611916Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:17.366{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA79894F1F82A8F44BC82FCDF22A862,SHA256=37F684A3B9BC07C61F6DA613185A55C59E95D9987767D3DAC4BE7F6C0633C11E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.809{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2B9-60B8-E250-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.809{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.809{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.809{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.809{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.809{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F2B9-60B8-E250-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.809{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2B9-60B8-E250-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.801{D419E45B-F2B9-60B8-E250-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.793{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FA4EF3C48F1A0A9D117C47B25748549,SHA256=673227AC3B984E8FCF394FF5B83AA9FAD00A3F0503C116EA5667AC68F28575D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.184{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2B9-60B8-E150-00000000C401}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.184{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.184{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.184{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.184{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.184{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F2B9-60B8-E150-00000000C401}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.184{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2B9-60B8-E150-00000000C401}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.170{D419E45B-F2B9-60B8-E150-00000000C401}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:17.090{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7172862A8B297E0E7BBBC1CAD9A5416,SHA256=DAC316803A9E570859D79884AEBAFBD8BD5D09356B7E5051B884AC6112DDBEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611915Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:17.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=943AAA6A86312476606B2C4E9A93A7F3,SHA256=275F7ADE057537D95AF810A10B46A6DD4520E2F5B01E5D9F32DF62E8C846C5D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611919Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:18.616{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-C506-00000000C501}4092C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000611918Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:18.382{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54D9B6B84DCEB19574BEF3062E74697,SHA256=465063A7BAE52959ED15204FDD0B2A81B34908999A7CF72A0A64E9F6C1C9443D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:18.621{D419E45B-752F-60B6-0D00-00000000C401}9046712C:\Windows\system32\svchost.exe{D419E45B-78A3-60B6-B402-00000000C401}4592C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:18.121{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3D2515A36078B7B3CADE0B9F5D6316,SHA256=35AE66AA6A47C14FED20CD80E2E6C4029B36CB51E92EAE17B9A2A922A892C6D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611917Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:15.054{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50833-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611920Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:19.393{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBDBE9D2724C01F6DD6D7AC936ADE40,SHA256=41E341483009C9B9070DB2AB926376722B6DD817590126F89414778368126033,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:14.643{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58195-false10.0.1.12-8000- 23542300x8000000000000000668042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:19.279{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93C4EAD960E91DE73377F97E885B578B,SHA256=1A0221D322EB015FB9CA8C12809B91D3DE90C28AE880B464D43D4C8BC24DF480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:19.279{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61C5FDB5AEA853D87970965F7B98307,SHA256=872A5E0180935D7CB80FF34FAD88685D4E13F1443091E1C388067414CADE5634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:20.395{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72B7CEA58BE874C03675B4B1D3CB4D66,SHA256=CAE1B0E2B9DDEACC8DB727608650D0086DED22341289BBDFD768FF26F1EF998A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:20.395{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3C5AEC13D2FC5DC4DCED3D450274B0,SHA256=294C1B9C11EDB1DD0E064150CDF3B2201506540101F41B71CE5C8396E09B081D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611921Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:20.393{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E5B20A29F228FF579D665D80BABE31,SHA256=7E4F613F1811A595944DD45748D46329CB8E38E6348E5B0ECABE0A5C6D212D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:21.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B423F60D0A71B3E184D2D850B5BCD7C,SHA256=9A8F0292AB0C5793E6C460B5D5B3256DEF8E704B5A55F0A367289622694E6A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:21.411{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C49B1CF070936AFB284A27489F9D7EF,SHA256=15524E2989558DF2BC84FD565676EABC30A46FB4DDB6C7BC436D07B2DCA4D3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611922Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:21.409{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CF9404DD1BAE9656F8C27934A8CBC8,SHA256=853042FC1A8926071716126ECFD5FF37269C974E6AF490F3B17C1F8B28373583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:22.677{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3BFB6A9D1413F521F37A8C0158B2A53,SHA256=74BEDF3A3B0D8DAD11871A782ED1A3FAC76F65A664E796173C1D8ADA9117D178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:22.458{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C676C9B048EE24A780F845034411E0,SHA256=43C8D9DBDB16D63D88AE40F926C7FD915DBEFBAA53DDAA53F533738A835F6CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611923Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:22.425{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B43662513ED0987FC26C4610770A8C,SHA256=7C6B5DA350E6FC21BCC9E978CB21B901BFEA52F5CD4D86A2CC6663EDEE5E1F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611926Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:23.456{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962D7E8D5D2DF49B50CA002AA8B15534,SHA256=889CD82035D40CC6520661C7A6012F9A04DDCF62E2F4EB76496409558C79682B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:23.928{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADC288F451FD5F5229F7D0842E9D2B47,SHA256=B413CF4CBFA55CC20C5942FC6E4D2789677434FAB4E8CCC8E3DE3E3B34B560DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:23.567{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF14ECBB3D952402AF6A10869217F5D0,SHA256=25AFC10FF2D90E0BD3C267B4AB4A9ECE81E94D922C8B4477CAA537B0195A4BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611925Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:23.190{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C647011B974BA27DC9384331B1AB3B1,SHA256=E231BBCC8DBF1061AE3C58439E2FC510213623A479437EBB6F6B1DEC87F9F351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611924Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:23.190{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0473FE6AF70A167F43D64DD1F779CBB1,SHA256=559A6FFFB3E7691FD796BBE7629FD15B7368EC2987FD3B13EF131D110B744A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:24.567{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4219F7AFFC9D3F47AEE61C7DF7EC86F4,SHA256=64EE288633E9BAD785B45DF6A20D2DBE093683011F7AED73BDE712F3253ECA6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:19.668{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58196-false10.0.1.12-8000- 23542300x8000000000000000611928Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:24.456{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62DE29BDC28192A74F1CA1C6E5AF35,SHA256=7425BAE40F57B3DD0E9461BE65A4D85EB2B2D6C6E557364DC7A92645F40468C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611927Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:21.019{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50834-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611929Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:25.472{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6151AF46807B3CAF3991D45733BE57D0,SHA256=36F59BBD7F56A5D73530D79C251BA90F0198CAB6886CB4F7A92E7EB8577848C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:25.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC82090220CFBB060A7DAA1213C3357,SHA256=A15F02B79BB0CA2A435DFD070C544D6C20CE7A381D008A8E5E560C0CAF09AB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:24.989{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D342224E8E56E3098890400648D951,SHA256=C47704198048DC99E810323DF511D91D19DEB270296ACFEC104323C3C11FB178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:26.645{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4D573DE4B7D10985D0BEC5454C1B2B,SHA256=354704F24C88F9F703A48DEA15B6A50C8B911F2891AC45478996C66CFD2274BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611930Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:26.487{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A1632DD5B41F3813E036A4E3C64264,SHA256=7F6DC80A9ECA3EC3F04252844F2F18E587455E9A15792A1B4396334C8FCA573C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:26.239{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2068E8541508DB615B8B9F89E6B6E584,SHA256=1478AD1CC589CD67283B92B4C0052A707C1B733788A49FE7619DF3567DEF8BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:27.645{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A23E66EF8C3474A7899AC8FE337372,SHA256=B3C21BE3309DF7F63542076D54A5EAF1CD20109FA6890347B769045DDC1FAA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611931Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:27.487{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A4AF15C0EF93931F5627D7D4ED28C6,SHA256=2BB70E8EF01117CB58A9DBA11F030FD257AF29576B5E70BB21E1C202D23BCC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:27.489{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AE98D2C2E9DA24DB1D250B52F07ADA7,SHA256=1DD4B02AA04593C8F1A545A259837CE692561B617E00C0119A14CECD6099F15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:28.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38EF91BA7FBE6976DBA15A14AED41BB3,SHA256=D02C60F2CCB7228E4511D0CDE985DFD3DD78E200E35542F90AD42653576548D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:28.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC6702A79F8F9D31AA17F4BB29BC8A0,SHA256=BAA40991B363D027AB91A67E8387816AD25444FA2198CC6481D46B35E8CD0781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611934Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:28.503{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754D3D2B5777B5A326EEC70E8FEC4066,SHA256=B74F5B30E91E1203C4FE0B784FB9DA0CE564C6575F5401AF07ED2AC9AD72C2E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:24.699{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58197-false10.0.1.12-8000- 23542300x8000000000000000611933Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:28.253{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67F48EDED35E8E6A7D6DF8C85F42AC76,SHA256=B2C95908F5781C74B7F0721DF0E23DE0C45FD7D239B28EFED4EB750BE6AE66F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611932Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:28.253{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C647011B974BA27DC9384331B1AB3B1,SHA256=E231BBCC8DBF1061AE3C58439E2FC510213623A479437EBB6F6B1DEC87F9F351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:29.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97280206743C014005EB858728F5ECBF,SHA256=25F74D97DCED8F65D39480A6BFC381CFA77AFF24BBED0F5C636A2A6BD2906D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611937Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:29.534{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F450008E3143EE24C0BB8AC6A5D98CD3,SHA256=B66954CFCCB731C749F5402ADC407FB13AC33D4C5D04054D85A822676C429B23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611936Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:26.080{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50835-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611935Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:29.112{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9b2c868.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:30.912{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDF2EDDC19B48D2117D0010D2EC8A91,SHA256=EE211CC20829AE7EAF74017625AE76164EAEA3D17B7A8C1131C158D71D63C707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611940Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:30.565{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3B385E71388669DC92CF79EC648403,SHA256=CB3D1FEA3EDBA47A4A9A9BE613602A8E1FBDD204855853A6BA4B261D9D2CB4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:30.006{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D831657EFE8CBC44D2C4DC883AAE307,SHA256=598F7B12FCC7803A67104730BD7E61536AA5134BAA6268420275E78D9D3E6B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611939Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:30.440{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA064562D6E97E2C64A2D0EFE92C45F9,SHA256=875FF148714D528160A11859B26845313C069C82E12D7DA8F1871DD935266D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611938Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:30.440{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0B0E0D8876F3EE0BB5B75B43369EF5C3,SHA256=72529FE30CB4087503DB7624639798CA1F6DF88B04FFEE77C5752AB0EF04A905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:31.928{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F381DC8EB45E3144FE50BAD7AE5F4CEC,SHA256=330147AF13652DDE4C21656955D5EF3132DC6EED3AFF054A614E9680332FB6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611941Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:31.581{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C0C4CD0A7F406AFFC269DB27396EA2,SHA256=D7A3CC93F32F900FD9792BCAE1CB03C30A7C4604BB6E6CAAB2BCAAA407617EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:31.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=096FE1B19677152A53042A255A42E6DB,SHA256=7E6B43B3FDC9C71698B30B072765C311306F318318840578C3EE51B0A64DB5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:32.943{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86F3122CF75024145DE00B8E563DC03,SHA256=E51F394AD0AEF8E3E585C307A4AA29AC3FF5D26E98A3044965B788880DEEDED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611942Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:32.597{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2F5AC49A0E6AD4BAC9DB9E05B24BB0,SHA256=02012E7F013FAA86F790B44D5B9AFA68F5C87ABE1D0CAF9AEE8769B04228F9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:32.240{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA59FEBE9A3F45309EB5DEDD5A8CE4A,SHA256=136F0F897B03E841DDC37F36AF71F08D34458397363325A6E539473C5B0C9A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:32.225{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8AEC4C49B4990019F86A2D7FE287E8FB,SHA256=47440F7925F53186500ECE1FD1505020801AF1D24DD5DE3FE98BE12D173D6EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611943Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:33.597{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69FA9A5DB6313AADFBAA29FDD0E42A7,SHA256=64C91CE143CE7EDE14302D3182E027F076303DD9A8E129BBB2AA4696A5FE94E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:33.381{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BD52577087538E8D765F6BB5E0571B,SHA256=5992B067C8909A921C3D3527EEAB720034D8B6F354BBAAD3840FFD7F77C7FA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611946Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:34.628{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D80CA078D3842EE9684A7B1CD4C9E9,SHA256=9C40514444ABEF61C7C7F939E49ECC3B5FA0139BCEAAFD482025610565F61455,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:30.653{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58198-false10.0.1.12-8000- 23542300x8000000000000000668073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:34.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44A4FBCD3D100436C8E341F45D2D9640,SHA256=7E6348211A1C08F6B80DCC24D53C89B675F092F7E41D381BFDC2829D95A7CF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:34.006{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58731D24DFDC2B6216E315CA674533D,SHA256=58436186B8F42D77EE142CBEE9FFE0DB2B4726696F9FC3443AB646485AB3A184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611945Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:34.284{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D773DB2419DDBDE40AAFC45A5B16EB2,SHA256=57C9934331E8F50A6D52E36DEC1655A5E573C23292D1A33B4316A01A41480C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611944Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:34.284{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67F48EDED35E8E6A7D6DF8C85F42AC76,SHA256=B2C95908F5781C74B7F0721DF0E23DE0C45FD7D239B28EFED4EB750BE6AE66F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611948Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:35.628{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1913292D4A6E81F7D7B3AE35CC6289A9,SHA256=64E9AD10CB23CFC704B45B6BF37BCBAE59F046ED599BEE4B522A06D9E691C653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:35.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A04EB5C622FECC902EFEC3FD677C474D,SHA256=4E6E4AC19F46EA62D6F0A258D2A7242A5812C1D152C474D0842D69BCA2B67478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:35.459{D419E45B-752F-60B6-0D00-00000000C401}9046712C:\Windows\system32\svchost.exe{D419E45B-F162-60B8-B850-00000000C401}4488C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:35.053{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8500218CC635619406CF0CD8DA307DB9,SHA256=54F5C88D85789B7ED08CD3E4E559881AAB29CA566BC14AB0AC2B44904AB6F20F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611947Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:32.097{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50836-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611949Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:36.628{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239AC383AFC27DFA6AB08C762E2CD323,SHA256=0266494011A5D9FB9D256C1437AA8B670B1565943D6CD7FCA628FDF019DBE31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:36.068{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204FBA0C63C62D646A16FC3603516EBA,SHA256=CD649C9362671F8FDBDC94A35A49592487246CA1E78BDB2091FD0DFBF6440699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611950Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:37.659{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB7C9B74D611D3E94B66C3160C019C8,SHA256=C4552732D733165FDDB878DDAE4793B49676FA5CFBDC6DDEEEA073361FA961C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:37.240{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04116F96D2B8128CDA1AE28B484E0559,SHA256=A696EB52CADD928CB77B95B36C0E88EB0E1C0B787B5CC979F1D1EC8CDF610C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:37.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00874901ECCC649E4CAF371D1BDBF5DB,SHA256=DF51DC9E8952A5430572FACA6875C72ED6EDB1AB1F68B784E201EF711A18CF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611951Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:38.690{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3044453BF07F100BB30B178177F3D078,SHA256=73C8AC292E5F1349A8A7D128CBB53BC4FD23213799E6DED80703DE6F03B3226F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.490{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.381{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E518B8361B6B189D02463637E4B37E46,SHA256=6BCA28917B10AA47C4A0C63431C4B518031056D7F56658C013AB9F3523EB0A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:38.162{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8E214B5579B66045786DA1C1DECF94,SHA256=AAB3FDCEE770D03DDF317A1EF5D81B513075096DC0E645461751CF78AF391D43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:35.653{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58199-false10.0.1.12-8000- 23542300x8000000000000000668113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:39.637{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55C3805B3B9A1415345C15592DF73B64,SHA256=ADC888E6A53FA1671091D9B3A8B6A0C0177BCE9FC78DCA781804C1ABA7FC79C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:39.637{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A040F5CD46D1C9F641E9A6D7E46B1A8F,SHA256=0823B056AA1026128E6BBFA801F719DD1C9927B1421E2EA26437C703FFE2BAF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611952Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:39.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704ABD00FDFA6CDE8DABB1171A1A8E76,SHA256=148B2CADC0576C709C086F40329885616A019EE5049FA85AEF24945B334F7EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:40.778{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C752A26F65CE3441396C3B46189249,SHA256=8279D5A61DB360B11F86FA295CAE231CA54641AD3A0DA360DCB74E0947EEB14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:40.778{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D16F1D3485A67FECF8E2F39E7147A1F5,SHA256=E04648D7A8013721D9CAFE31EE2D32800EB7837EEF22960743F09CE585B4D054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611955Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:40.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945CD996E3B1244B975F326FA8AA1EDB,SHA256=1DCBDE65F570127F68B264F4239F7BDF2614FF8059AE2254F41543485B23E462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611954Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:40.260{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C66E6222417F9C4B82D7EBBB1336AD,SHA256=2326E02C8E76949F48B12CFEBE2DC2EF01D8817994892F399DE8D757B5B7D23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611953Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:40.260{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D773DB2419DDBDE40AAFC45A5B16EB2,SHA256=57C9934331E8F50A6D52E36DEC1655A5E573C23292D1A33B4316A01A41480C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:41.918{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9750517621CFCB33D6A9169090B304E9,SHA256=BF25C61FD6B9F294D5FE878F6CA80A86C34847EB3A727E82EB70823CCBF79ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:41.793{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155FAC49EF9E91515466974AD259E982,SHA256=FA901C31DD543796FAAEC8F58ACA2AD10B3DD4D054EB505CA2FEDB2E8F848145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611957Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:41.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7E2D83604BAF2E950C95A713471A8B,SHA256=AE0A1E7EF572DA669A5318E9F33E808FCD85D602594907C2536CA23681D7D933,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611956Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:38.081{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50837-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:42.965{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7E53B965D5AE50A234C265FF3DF8D2C,SHA256=AE19D71AD277C0C4A237371F2150E6F981C3756A6C0724DBE25A4EC6761B222A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:42.824{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE910237BA281EBA9BB5AB9784C4F292,SHA256=7ECB0F90330FEA7DA3FEA08973F24A8080879D30D55BBD927C4B011B1AAD33EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611958Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:42.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631564BABA94160983BE59EA0A4B18E3,SHA256=F11A77628FFFB89C3E4625CD3087D69C730C1192307DABB073585C1C696D250F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:43.856{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882DD698914AA39ECD2D41F12FA567C1,SHA256=2C76568C5BFDA9606D69CF272187904A32A638D5AAD94D2B5397C5154314EBC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611959Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:43.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E546131E306F6DF9A32F0E3AE87FC81,SHA256=B87C73E11DDB047B9D12375FC1A7A85DE2BAC34322C48EE55988DDE8AD225B45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:40.659{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58200-false10.0.1.12-8000- 23542300x8000000000000000668123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:44.871{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32E78D65A95B47543D65947606F7E72,SHA256=38B3BF055564EE38BECB2CA470A2A7267C5E32AF6C2F45152ED14A47CC4BFF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611960Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:44.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3AE06F00894F167621D832976973C8,SHA256=5E3E88A6EC52C2D0C1C1CDFACAADAF0CA485EC6ED08DDF2293CA2966BF4F8DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:44.293{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9C87566BA91168A3036D616D6C9CD01,SHA256=2F9FE29B92306C0B67CCBE09912E6EBE7E3D199BADB8F3E75F6BD5D71CF12B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:45.903{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6558B38965778D77B64E186303A71D7A,SHA256=6A715CD4E153250BA7E6939D65F080F6D3B55A41BF122EB0AF4CC5B0C94DF0AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611961Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:45.760{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E9F0CC8796D08CF28C5FA53D79C57D,SHA256=74AE5B1D9FD7A962805CD5502C5F0B7DDDE7AD5D0F2C3763FA7AC57C2104A852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:45.371{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76104916C37C906D9495ECF118E9F01A,SHA256=BBE4EE4EE39D1829A5562949EEE027098D9EEB24C8692B41BB6F8DC433C69433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:46.918{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BF5FB99614CDE00959EBB8380E8165,SHA256=1B6C5A4FA667F6BD8E651AC5445E8777311145C98DD3C5E4E44FA913655F3F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611965Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:46.791{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDBB432F97CCC39B235691E9FB73E79,SHA256=9D912CF18406B7B41009CD5E0015D2E5D589B31D5C5B8A85131E2380E01A76AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:46.699{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:46.699{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:46.699{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:46.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1EA7415C4D13363FF4AB0CC0012F728,SHA256=47727006B0744FF2FD91B56AF03A42694B13C139874FBE1E2E0F064BC867864D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000611964Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:44.041{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50838-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000611963Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:46.213{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F007BEBDE4D4CCE018A80EDF0BC46E0,SHA256=F7B97FDD0F832FCA124A2D3EFF83FF70C31311D04A6AF2AAC1938962CCDD8D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611962Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:46.213{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C66E6222417F9C4B82D7EBBB1336AD,SHA256=2326E02C8E76949F48B12CFEBE2DC2EF01D8817994892F399DE8D757B5B7D23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611966Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:47.807{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258828D9442519DEBF36B23DBF4040B9,SHA256=A5C08B16235806D28A7B1EE62B6F2404550E959792F3C606511673E7BFA2091C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611979Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.807{97C2ED32-F2D8-60B8-125B-00000000C501}36645824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000611978Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.807{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7F00A336E35222344D7274F4D4D138,SHA256=A3F1CEEC17D294EF1A415A034FB9B4A81931F69E90633661706B4E6655A576A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:48.153{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C43D852FEAAE99E5D462955F9C1A1D8,SHA256=60DB5CD9562FEE3646AB33D7898C1A7F36C3012B7463AC2C58A20A19DE988027,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611977Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.682{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-D050-60B8-4156-00000000C501}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611976Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611975Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611974Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611973Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611972Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.682{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-D050-60B8-4156-00000000C501}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611971Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.682{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-D050-60B8-4156-00000000C501}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611970Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.683{97C2ED32-F2D8-60B8-125B-00000000C501}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000611969Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.432{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611968Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.432{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611967Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:48.432{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:48.121{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80D2413C7096FEF465DB572AA815C97D,SHA256=3758C27342DCCB1E7B2A76901C49AA5BC5F4EE41B1D5E641A0F6B1C13DA3DA75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611998Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.854{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F2D9-60B8-145B-00000000C501}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611997Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.854{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611996Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.854{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611995Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.854{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611994Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.854{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611993Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.854{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F2D9-60B8-145B-00000000C501}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611992Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.854{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F2D9-60B8-145B-00000000C501}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611991Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.855{97C2ED32-F2D9-60B8-145B-00000000C501}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000611990Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.854{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F007BEBDE4D4CCE018A80EDF0BC46E0,SHA256=F7B97FDD0F832FCA124A2D3EFF83FF70C31311D04A6AF2AAC1938962CCDD8D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000611989Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.807{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2853310F0834CEF31FD27526DD7294E1,SHA256=5C54801A4983863188DD3E6400A857261560693C586B6062159139730942BCCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:49.246{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E37E8EDD5BF2224B33260997EA8A4E11,SHA256=AFADCDC384F8109CD54C7396EA6BDF87EE8B8FEA0C618DC4A6E0ADB5AC213208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:49.184{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1F7509AD18294768E5BB42ADFA74C3,SHA256=B399470B7429A80568FA7194E0727853DAE9BA819914FB8CF6235185D49CAF68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000611988Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.323{97C2ED32-F2D9-60B8-135B-00000000C501}4324684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611987Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.182{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F2D9-60B8-135B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611986Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.182{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611985Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.182{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611984Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.182{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611983Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.182{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000611982Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.182{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F2D9-60B8-135B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000611981Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.182{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F2D9-60B8-135B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611980Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.183{97C2ED32-F2D9-60B8-135B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612008Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.854{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7BD970CB762D155CA4B4826656DD2F7,SHA256=57ACFA70B174ABAA773876860A6D0A9ECB4259CCC8AC4DCBA130B936E797B946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612007Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.823{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C27CD8C587EF237D01D2D751FEB08B,SHA256=D8480D49E5A5A75591D9030AD85B247057BBD350C983EE3DBF9F2C83B382D086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:50.481{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13423763DEA3ACE2BC7F38B40CD0BA61,SHA256=E194CD214428B29C3368318664F4147DF98D8D5B812E2A91A62625ACA0EB3A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:50.200{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3DC52A08E0DED93F22DAD4748B05AA,SHA256=748C2FCFCCC2D836178898110418E44D11F669F37769385EACEC2EE49CA33E33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612006Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.526{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F2DA-60B8-155B-00000000C501}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612005Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.526{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612004Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.526{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612003Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.526{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612002Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.526{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612001Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.526{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F2DA-60B8-155B-00000000C501}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612000Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.526{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F2DA-60B8-155B-00000000C501}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000611999Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:50.527{97C2ED32-F2DA-60B8-155B-00000000C501}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000612026Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.870{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F2DB-60B8-175B-00000000C501}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612025Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.870{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612024Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.870{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612023Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.870{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612022Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.870{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612021Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.870{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F2DB-60B8-175B-00000000C501}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612020Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.870{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F2DB-60B8-175B-00000000C501}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612019Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.870{97C2ED32-F2DB-60B8-175B-00000000C501}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612018Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.854{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617F36AA3A4A45B0871067164B1DD87A,SHA256=CF71B45636E83AFA119BCE79BCBF9C36DC19ACDDFB8F36D7212F7CD2971A40E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:51.575{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AD276D86C3B140120B1CBABD257680A,SHA256=25382A0E832E1697BD827BD8C235C6A26BCC2A92D80FCDBD69B07063B25F2BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:51.246{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCDF6F8C8FF275D52AD18B1C140B989,SHA256=F89A217FA2B9E5C56EF953B83EB596E099AD002C161C65C2A6E47ADBBC21F337,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612017Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.338{97C2ED32-F2DB-60B8-165B-00000000C501}48002860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612016Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.213{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F2DB-60B8-165B-00000000C501}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612015Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.198{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F2DB-60B8-165B-00000000C501}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612014Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.198{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612013Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.198{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612012Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.198{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612011Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.198{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612010Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.198{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F2DB-60B8-165B-00000000C501}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612009Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:51.198{97C2ED32-F2DB-60B8-165B-00000000C501}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000668138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:46.519{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58201-false10.0.1.12-8000- 23542300x8000000000000000612038Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.885{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386F739E7490582E1C49C774C35AEEE6,SHA256=4BE73D6FA0C8A7362613976A26BECD59B8398E7AD19EB70E536F7810BDF67A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:52.746{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=319274455FD013E200556DA98812C110,SHA256=F452349153A1B3B3E6D7FAB5F4F9BA22F79247C5044F8AA11CCB44AE5B08E17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:52.262{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB70719F50ED35242105E0AAD32F0D58,SHA256=B43AFBE4B4E878AEC5DFA47C03D918DA728AC74351DA4C1875A8A93261DF963A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612037Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.682{97C2ED32-F2DC-60B8-185B-00000000C501}35846032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612036Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.541{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F2DC-60B8-185B-00000000C501}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612035Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.541{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612034Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.541{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612033Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.541{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612032Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.541{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612031Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.541{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F2DC-60B8-185B-00000000C501}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612030Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.541{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F2DC-60B8-185B-00000000C501}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612029Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.542{97C2ED32-F2DC-60B8-185B-00000000C501}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000612028Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:49.963{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50839-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612027Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:52.135{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3BE523F314AFFF4FF92DD343069B35,SHA256=CB364DEDA15D7C32C925C5FF245E539A4DCEF0970B75174FCAFB56DF23B632A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612041Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:53.995{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612040Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:53.901{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9CE8703E738F4C0A38C484182FE15B,SHA256=0972C9DC03CF7E456C2B3F23289781EBDAC94135F899D66B46E0CC9E4BE65DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:53.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169F05A21E2F8DD7BF910109D0D53512,SHA256=0060E921EB148C49CF7027ADCAB88E553D72376C9A7901071773F589E8B81EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612039Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:53.557{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13B1004D901981A04C54527F502663E1,SHA256=36DBEFBA2E8CD285E579B31EF265AE784F3B3D3906BE406984A68A0A6EE024B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612042Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:54.932{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D66A8B65D690FF5607FC537B0741624,SHA256=6AD632C50360C191A2BEBC83D2AB58FC89DFE47B5F2DEC07468192EEA076DD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:54.356{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AF10FE0F02B08AE3C4227213E134FF,SHA256=E1700222FEC8D304B59DE9A16BE1DBA7585F36F82FE4C45910A72581F281FD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:54.090{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B22CC29EF5D016E3AE4779A1D58BE2,SHA256=D456141F29C221289B9F7ADCF93F95C7F312819D183F4AFF8E26F8BF726B033B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612043Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:55.963{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683426B07FB5EB04CA1E4F68A57905E8,SHA256=F081E96A563DF070CC7784F11CEAE6ECAD9B3189E36A1069192B533A1C02E083,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:51.550{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58202-false10.0.1.12-8000- 23542300x8000000000000000668147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:55.403{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462BF26535C8DE63C17BA675D74AC9EF,SHA256=521BAD5BEDFAF66AC313B3C44F48C7977130F6B2FB693137432D227751539B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:55.137{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42DC72764415A724C0D484153EC2626B,SHA256=1DABC29B92FAB8EB3E8B630C6C14B5A81808FC881D177258FF58CF656CF16A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612044Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:56.979{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFEA00292B71D6E7C090F9EDBCD071E,SHA256=F3C423C1F0AB01F8F688202F817BE1273A4327DC2F86ADD2BB3CCC5E854DFBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:56.543{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F0726FBF4725D889C792E77B4AC03AC,SHA256=FED3C03DF3DC691232EC942319E7F1DA544C4C7003889524CF43C8C1FB625B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:56.434{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C7F927693D5EDC330A12E632CA5B59,SHA256=67C4E334B8F24D2DAEEAD910C48D58BE9DE53F3C33D699ABF1E827C3AAAA1CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612045Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:57.980{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3BFCF632BA4F13210F080F9D1BA74F,SHA256=9DDBF61B2AD36FE53560518EE501423FCB97393686D01B3C34723AF68C3C9793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:57.746{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9602654B0552F1EBA5B1AFFB1D42327E,SHA256=E018E486286471493B4992D5840FA095D8E60D891060CDE56EA2557254DBE9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:57.450{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89ABF2407216407C9F09A6A163773504,SHA256=D4942246222EB15B0F0D2CD15CDD220E79C439427150B0EFA808933F8ED85624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612048Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:58.993{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0B7C2E7E6F85EC285D4D6977EEF6C7,SHA256=C96153B592EAA419878CF79E63C0DF7BB7D619F5A040F7A6A6C9F71F1D86AA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:58.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E23A6EBA20E9823E1590A406D631042,SHA256=50699037ACF4B77FEF137975D1C07405DF279570A68F876F7473B835FAF2C29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:58.465{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC83BE0919DFF74BFFF9D908EFECF18,SHA256=72DB473C146E369EE5A59ADB1484396CE2DA78374AE7DEC7B20AD87D2FBD0D35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612047Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:55.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50840-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612046Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:58.058{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92DF4D2A00E3688809AE400BDF5D7FDF,SHA256=EA836141E1A9A451F822D22BD72D6A3413505B131F60AC9D8F2187D950C1A098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:59.954{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AA0EC72C08CF70F28A25CD1A300F84B,SHA256=70729A9C8933EC0C8BCFACEA2CC53DF768B81A8AFBDF517731DE4FB8419E7A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:59.485{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16F0114D69A044649516C29079D2836,SHA256=558B252E9ADA97EA52D7A355373B3DE89FCFC7E04316296199A13BAF87A2C61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612049Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:59.199{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:00.501{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD08A43946B69D2DE8D1AD9C419732A,SHA256=0E23930DCB9C43DACCD51338059CBFDB55F960562C3B8725018BC01487E91B40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:56.675{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58203-false10.0.1.12-8000- 354300x8000000000000000612052Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:58.027{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50841-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000612051Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:00.405{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FA290DA3B3C9087C3C842C47A48E13C,SHA256=3D2E8BEC6105559C5FE381F74E006CDCC0F9935097658BCBFC38BBCB56D7DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612050Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:18:59.999{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7466294CF9DBB23CEA123E51EBB27199,SHA256=7D3BCEEF1041E19C49A8065801CCDACDADAF83C127F0AD53FC953DAE7FFFFE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:01.520{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944745AC48895298E306EF8779007C02,SHA256=04F56ECAA9E7A377FCA6113F93F4DCCAEFFA0386F3A15C063829CB9E8A71BE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612053Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:00.999{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131AAA08641F448F5ED5817E9AD642C2,SHA256=89B451236F7D867D75DE2D978AD501C55E8B49F1772CB70EFF6064A3968A66BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:01.204{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=001F7DEFAC91F242C76845B3721650F2,SHA256=DDF99604D4341766E429233079BC0FAD5AF9A52D2153E9F8E0BEEF4A0BE48553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:02.705{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C01629C16C421B5EE61316645CD3E4,SHA256=A7DB3EB7AA93E935B663ADB8B4EE7DE9D6D5931B111CC8CCF0B21F09EFF9B728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:02.532{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C2BB28387CDF5A1E80B9556EBFBB0E,SHA256=E21EB04AFAD6E17E2D6E442A1E74A281AC1441355B5FFF690FC17322C7267424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612055Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:02.421{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9F0472BA415B19C097F48652BF6373A1,SHA256=FBA90FB63E484D29A38EE31E71DCADE1D15C63657537B57E66B269F76FE4D157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612054Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:01.999{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A62C7C028CF947C4F9AA375F3F3858,SHA256=089CD276B3B21FBA0049756312046BAB178B46A4E5C959B0D8050B5614BBB45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:02.186{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:03.830{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B0D3A6A0F4CCF27F0BD28C4287193D7,SHA256=22E4D8E6C304B98456EE0BDE72C95A992D6D4A3F3B1692E3D8E5A66F16418067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:03.549{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E294CEBA69521A2843225A46D5BEF8,SHA256=B48EC537ABB4138E05D5A218DB8A0B00A06E2CF165BB201710AB7E4BEFF40E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612057Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:03.062{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0BB4B94D88908ADBE167F43979672E9,SHA256=3AB94164B0EC27AEC7047D87948C68B1BE3F1B44D630D7504B4BB9714C0571F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612056Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:02.999{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE153CC295CA6C17943ECB6622206AF,SHA256=364DB22A025D8FC827F543D9712F267DEC9027792A4CE2FBD8628A7851D6A152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:04.987{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=094F483BF7C0504F0DB1C74D08AD1081,SHA256=530F53A39629BBAAF973D31569288D1DB4D4933C895A0E4F15D678A1F8563B31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:18:59.633{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58204-false10.0.1.12-8089- 23542300x8000000000000000668166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:04.596{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C543BB754EE5AB97E57798A1887E46,SHA256=0B16666922AB1042D2C3CAE42985329F3F088E45D773E169CCDE2A0BDFF9BF89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:00.905{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50842-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:03.999{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E26A0280AD8DF5A1A7AF44A7DC3253,SHA256=83848E15BE9AFFB2A6810EC73ECAC960D5983852798B2707982551CF4641E978,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:01.696{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58205-false10.0.1.12-8000- 23542300x8000000000000000668169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED53C6B377E6F06D8015E48DB8C619E2,SHA256=BEEA70834921E82BC5D8F4C13F10B662ABB7B6C3B3C05A1972F18406FBF724AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:05.046{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E30D5B963266FFB27082ADFAC50F04,SHA256=1F94635FA75176173CA3DDC321082D51E7CE9A18D01004F426A089F35739CDAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:02.446{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58206-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000668173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:02.446{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58206-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000668172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:06.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F1D485A9E46B6DBA18770C175CCB09,SHA256=F4B40D6C0EC5EB8F146EAFF6FBB65C1183F5D27BCB3987E89FD311CED28B00BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:06.093{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0061A5667969B8BFECF8B04BB017F03,SHA256=02295CE59F1EFB07E3C9DB0C437DFC12E8418A648FD2450E3EA2980DB4BD02DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:06.096{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7F98A807A684D682F60C0D5C4BA027E,SHA256=EC7CC97DDA4ED05098A30884DF710DECC53CC7DEC84352A0E47D8EADD0D50AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:07.846{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000668176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:07.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9530FDB37102A209029A68B40A30F7C3,SHA256=B44DB9ECB3CF98688CCCD9599F401C4DB7CF5F9DBB1CC8E3F35BE7EA3AA210C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.249{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.249{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.249{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.218{97C2ED32-7730-60B6-1600-00000000C501}12045704C:\Windows\system32\svchost.exe{97C2ED32-F2EB-60B8-195B-00000000C501}5132C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F2EB-60B8-195B-00000000C501}5132C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.202{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F2EB-60B8-195B-00000000C501}5132C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.202{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F2EB-60B8-195B-00000000C501}5132C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.187{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.187{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.187{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.187{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.187{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.187{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.187{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.171{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.171{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.171{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.171{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.171{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.171{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.171{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.171{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.155{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.155{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.155{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:07.108{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9C50BDA84C38DF42FB13BD430119B0,SHA256=29D8318917EF6A50716D8133718C6B2FCF228714CAEC7CDC61DECF0060B9719B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:07.580{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9858746BF559B649F0E3120FF77C2F7B,SHA256=EE4E0601DF90A28D825BD14B388BD481811D8D34AAA4101C77DF16363909FFEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.207{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local58208-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000668181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.207{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58208-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000668180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.199{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58207-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000668179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.199{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58207-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000668178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:08.737{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAAEC6CF7950AC67BB70BC4B217457F,SHA256=D79353DD603E28CDDEC7C15D376D33472A2883D89F381973A4A55ECEE0B168D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:08.780{97C2ED32-7730-60B6-1600-00000000C501}12045780C:\Windows\system32\svchost.exe{97C2ED32-F2EC-60B8-1A5B-00000000C501}5012C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:08.765{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F2EC-60B8-1A5B-00000000C501}5012C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:08.749{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F2EC-60B8-1A5B-00000000C501}5012C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:08.749{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F2EC-60B8-1A5B-00000000C501}5012C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:08.530{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D14E9742F7ECCC63031D2AB08CB407,SHA256=71679630F577278C139DABDB78293078BDBD1125805139B99DFA21CB69569122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:08.530{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07F26E1111C0899EB52DCC8DC5F0B89A,SHA256=8DF7D2EB8AA4329BC415A74D4DD42FED2678A78DCF103D69174000718D793C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:08.530{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07B5DFFF10C89C2839B4C97B51AAB0F,SHA256=34F64DB23BB01F757FD07C0943DE475B2FA6E9EA6BF57CDBC5A24A54300E61BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.314{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58211-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000668189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.314{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58211-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000668188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.310{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58210-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49667- 354300x8000000000000000668187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.310{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58210-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49667- 23542300x8000000000000000668186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:09.752{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6D8FC915D4673ACE38529AF1809AD1,SHA256=C0516ADFE99EC2E80CEF113AFF804449692A1CE9E12C70C363D9AA3D8C36734D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:09.749{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D14E9742F7ECCC63031D2AB08CB407,SHA256=71679630F577278C139DABDB78293078BDBD1125805139B99DFA21CB69569122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:09.530{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6AE50958821D203C2B0C95DD882C8B,SHA256=97AAD19AE6471E961531F8849F87D0E2715013C94029955C71E128752A9A3219,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.309{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58209-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000668184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:05.309{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58209-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000668183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:09.002{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBBEF8E4515426E98B91246D18CEAA9B,SHA256=8DC368301C1D35AD854BB7CFEC643081EFA3BB8E765877479F189D72CF505DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:06.905{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50843-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:10.546{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046530A9B90C1E578643BAA5D82AD4BB,SHA256=8E6A083B0D4D68AD3AD8D2FCA0193E8F34AEB60927EEBFB3588E99F311F41516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:10.769{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28B17F935218B907BB151EF015E6748,SHA256=9DE4C00F9E31D76BF1540DB4C1D808242D29E62930E857E8BF7F3BEC777CBF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:10.143{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B4E26D6E8D6F2D222096939C3D462D5,SHA256=B4AAF5A692046FD6325DA57EB513DEDA3F2FAD621F7F2BF9861696FEC62BF802,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:07.555{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58212-false10.0.1.12-8000- 23542300x8000000000000000668194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:11.783{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F443955053AA2495CA82A7C9B5AB58B,SHA256=332E61C507B32A53AFD45734FF05FA14EF8F21A4D762622CB21D75C4B63C3BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:11.562{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD26CF11016297ACA43A7BC1E551407,SHA256=72D38DFD5CA2A8B5F5654C0E70366B48EE6A850CCBA2A9FD3551F5315F8C59D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:11.283{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7A85B2E5A28770EA63548B52B10DCD,SHA256=EA541B836FBF4F99070472FAF638F456A32B29A4DEA06022E4C7944C27308D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:12.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D947452F30234BBF1AF13DCB1A82148,SHA256=BAE4194D0CC09923894213B6A1FA6CFF47D3147129A74A11D2A5EF82F3A8D1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:12.577{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C2388C7A0E3F0D2EE25C6D552BAB44,SHA256=30E9B930C703D78A0FA05C004C326775EAFB1935F891CF316F49C788FC28CDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:12.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=029B3619EC247DA12D70C95EE7C2CF89,SHA256=CEF34393E7F084C9E43BA84DAC7DB7293EF68DEA79715CD0DAF88C355606BB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:13.593{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B8147227E5C245C40DB41322F713C6,SHA256=4D32840CBB1B2F3E4EFD3031637013A44A384B80A695B9E8369CE8880E9625B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:13.627{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F7674432C9233926CDB8C35CBB5978,SHA256=30E06A7692FD4A629EDA86972EDA49239D1EA7E80AB01CF255969122854F1F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:13.046{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF49FE5F2348F5C85E9BE4035E83C27D,SHA256=B56B96046341E02C73320DB4061DF8D14D9386D39368B988242A048CBA5593B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:13.046{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA064562D6E97E2C64A2D0EFE92C45F9,SHA256=875FF148714D528160A11859B26845313C069C82E12D7DA8F1871DD935266D72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:12.093{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50844-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:14.593{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB88454D6FD882BB754147341FD1C275,SHA256=2A6D22E320A2181C57E3F97F37430EEA29542B26ABFDEF772EE88C441DF13A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.955{D419E45B-F2F2-60B8-E450-00000000C401}21685468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.721{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2F2-60B8-E450-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.721{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.721{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.721{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.721{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.721{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F2F2-60B8-E450-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.721{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2F2-60B8-E450-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.722{D419E45B-F2F2-60B8-E450-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000668207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.049{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2F2-60B8-E350-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.049{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.049{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.049{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.049{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.049{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F2F2-60B8-E350-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.049{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2F2-60B8-E350-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.036{D419E45B-F2F2-60B8-E350-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:14.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130699AD9A0DCC74A62C9DA412BFA322,SHA256=2AAD045E843B1BED463482CF4AF9DE970BEC6ABA3E7C5EF257FAAE4E1FCF77E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:14.483{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5FBD036C82CB8D0FA5B4F2D0B4D96D2,SHA256=61F4FC24B1643C47D59A9CDCB282FF977249C6AE02C87CC1F37736F954E44597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:15.624{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A80CC134C1BBEA4B8AD9CD439014FC,SHA256=9CC8A26A66C7E9425BD1757D759F7797934361178F26F9588B80322AC141219C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.924{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2F3-60B8-E650-00000000C401}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.924{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.924{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.924{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.924{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.924{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F2F3-60B8-E650-00000000C401}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.924{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2F3-60B8-E650-00000000C401}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.909{D419E45B-F2F3-60B8-E650-00000000C401}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000668227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.393{D419E45B-F2F3-60B8-E550-00000000C401}52045220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=411EFD18E809CFD755711A9A17B1565C,SHA256=1DF90802DB8BF578DEDF9EAE295FBA5EBC60473A803D92EA11D55935A48FAA1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.237{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2F3-60B8-E550-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.237{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.237{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.237{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.237{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.237{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F2F3-60B8-E550-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.237{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2F3-60B8-E550-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.222{D419E45B-F2F3-60B8-E550-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:15.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993C9BD79B66B21D59DE24D1E28CD9DF,SHA256=67623E83D35C7C0373D00ECC6F5202D9BE7EF01E333386EA2BA695C4A4E312D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:16.655{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0993C06BDCE8BB1080B7DF9580010318,SHA256=5B2811A4BF01CFA69F3F54221F988D2B7324D19866387169E9CEDB4B8AF0BB35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.752{D419E45B-F2F4-60B8-E750-00000000C401}11806660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.596{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2F4-60B8-E750-00000000C401}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.596{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.596{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.596{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.596{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.596{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F2F4-60B8-E750-00000000C401}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.596{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2F4-60B8-E750-00000000C401}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.597{D419E45B-F2F4-60B8-E750-00000000C401}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.377{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=327F106643BE1DA5709044A0223A0805,SHA256=B07A4B874347A5F17CA6544F3025412251E4EFE220B63C56BF98227B515674B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.096{D419E45B-F2F3-60B8-E650-00000000C401}30365684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:16.049{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218E4580A956E39E904774B136E0517B,SHA256=103F33E477BB52A4313E29864BD11EE65DF4AF15CC871FF1324247C76747198D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:17.671{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84D21CA47F928916E90F76B074F9C40,SHA256=06D0E14AD841E3D493CC130C662261F19B9D696A40E2D5A6E3126DA9F5A24454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.955{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2F5-60B8-E950-00000000C401}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.955{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.955{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.955{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.955{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.955{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F2F5-60B8-E950-00000000C401}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.955{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2F5-60B8-E950-00000000C401}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.956{D419E45B-F2F5-60B8-E950-00000000C401}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000668258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:13.555{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58213-false10.0.1.12-8000- 23542300x8000000000000000668257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96B06F0BA65C2F433DEB01F0437FCE23,SHA256=EC5082E26278B6190ED8B55BB05A64C90F2458B77A60E7BD08785D12F63B11BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.283{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F2F5-60B8-E850-00000000C401}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.283{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.283{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.283{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.283{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.283{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F2F5-60B8-E850-00000000C401}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.283{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F2F5-60B8-E850-00000000C401}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.269{D419E45B-F2F5-60B8-E850-00000000C401}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:17.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF46829E6C864C93EA2B61E2A9B34FA,SHA256=E4D78BC70820D96B1663EAE7F4DDD75B37FDF9618EBAC336012B53F2F4F6B264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:18.687{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBC4CDBC5214A1D00545B97C48F99B7,SHA256=E643CC5089F3DE44FFEA42D1FE59FFF18B3EF9DDE8FD4A0CA259FFF762B78A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:18.768{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB670424290ED91A9B5B86C980AE713E,SHA256=09FEB509A8F402DA9720AABAF7CDA8DF6C4FACEDDED338A446F9CD42E905D44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:18.080{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDDF22034477CFBFEB52F11418DA904,SHA256=60F31C1758CC0692ABA28CFFC6AC4B746988206C21AC4EF9CE9FA2988D0E1ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:19.714{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4784443B7592390DBB623319AFA4DA07,SHA256=C739EAA3AEAECBFB8F601264FA7F87805C3D1F7FC13E84EE48E63C9BFAF5532C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:19.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F0E9EB92FDB61914751A7F8AF13958,SHA256=720408E52EC1D1D697DA86897C70BDE884840DD3BF88D1BBFF2B1D2CC1F1BD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:20.714{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6055644144C85F3AC45C2EB046B05677,SHA256=2A7844721A41F8F7AA05A0324BF85F2EC861FC400023A45A032CEFBCE8B412BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:20.263{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C54AD6AE2CA015D7DA11A593221939DD,SHA256=ED6DAE42C35FB41641D4628A2543ED3CDDA93CF97646F47561B4295AE95D9113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:20.263{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F824D99B9D013CF67B39375E4F6429B,SHA256=633D3AEFDD756420C7799900ABF1586BF43A59AF6EF9F11606D2F928E21CCDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:20.058{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE649CF0E9436A477AF0A25F40ADEEB1,SHA256=45CD071036A1FD912DB6EA2F990AFEFEAE5A0BBF471F4DE6B17957BFB8D3FC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:20.058{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=980FE98A1A5D4458FA79A7D00766D9E5,SHA256=8661EB7049B27449A0F73CB8FBB539126A1D6BA7F289D0BEAE32CC7872D68A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:21.403{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D5374783FBE2E6ACA6AE7BD049CDF15,SHA256=1E18C1A353B0D9F3EB2B363B99CE8C8CB813E26A9F3EE79C924F446D0D3FB5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:21.278{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A045A9A42FE34530ECD33C750AE761E4,SHA256=365AA50C2C0E48503FE542391A3D108E994DEA98EDA3561C46EDC63BB0464D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:21.714{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546B777D722B2158A792B3B80483FFF0,SHA256=50C713F146178284541121B8278FCE6C3E21889C0E6731406F4C52E8F04D6FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:17.858{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50845-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612117Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:22.730{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C61B7683EDC009D4FCDA32B440AF2C2,SHA256=DCBE3A5F0CEF4556EF6ABD19166AF1838D276215CDA436320056657311B6683C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:22.544{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B93FE263DE9BBE59042CBAC31495860E,SHA256=1D97507FEDABD374FF94D9DD68E8079B6577597280C4B15FDD1EA69935556890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:22.325{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519963211C4F1BB4FFCF247547EE2A10,SHA256=E7CA6143C01F74E2CC4DA99534332646F74B0E49F8C17B2205A057821377C6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612118Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:23.730{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A1F341B56BF753B01B685E5987B4B0,SHA256=97BB5B7EB378344D0D07EE9D68CC46AA3E5DCE9A6FEE73CCDD6132A020BFD8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:23.403{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05562EC541CD6567F3D26AA4A21DDE73,SHA256=E2904019AFA2EEDCE6A15A2AE68982158E1BA7D26A6C40CFBCCC06DF4E804ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612119Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:24.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D04B9E8D99433BAE75D6C9FBB44BC9A,SHA256=FA362E23679F0AB5123932E4582D51B1636348543F10D744C4AF49B2F1037122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:24.450{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B95F37B1C0B97E1CEC2CF1E36B5603C,SHA256=ADF3D5F9AAF6FD063113AE1AFE6BED9D386F54B373D36853F8F6170E04BDB9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:24.310{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85B0346D2CBA459A926BD7C992401955,SHA256=30B05F85D0E7DFC8ECFD20C919E19E9E4ABDBF67500335CB8F6DBD8F873A32FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:19.519{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58214-false10.0.1.12-8000- 23542300x8000000000000000612122Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:25.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FF9618ED297532C294A8F5757E4452,SHA256=A511D714C4B831431C9820DEA9345A62C2A389B68DE0C5D79A1E0B08900C63F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:25.669{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E47A8AD96C437EA2EF4C752BA5E21E1,SHA256=B22F35BE78BF09490574010A932EAD1596D05C926805EFC1183B7A02EE1E5E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:25.466{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B2846B8692A9FDC5354375BB870B0E,SHA256=1322664C39E5181BCB4E3327F8A397EC97C2689EC182E849ACCB50944FE49194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612121Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:25.245{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=340717FD4395CC92693256873CA7DE30,SHA256=24A15DE7AF44E014447F9F93E63FEF80E3BA4DA50D54EC9CF65B8B8CB4AACAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612120Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:25.245{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE649CF0E9436A477AF0A25F40ADEEB1,SHA256=45CD071036A1FD912DB6EA2F990AFEFEAE5A0BBF471F4DE6B17957BFB8D3FC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:26.810{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC33CEBA44CC04CA785A01F5C4ABE26A,SHA256=6383E3B0FF2872DDDC7AC1F62634D5CA0EE466BCB43B43940751F0210E013718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:26.497{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC482F5D4AFB00823613DB788C57C26,SHA256=4EC622C193FE1D5F40198DEF5EA2333F5C0A4B831778ACB3055D6FCE27417AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612124Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:26.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC543F86BF1C628F41A08BAA8C5FFCB9,SHA256=3D1D1AD61407A5327EAE794F69D2DB2DF4C2530F43999BE9BA71C6B983700A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612123Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:23.026{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50846-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612125Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:27.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B09AB47A69BD66FEF7C849D2151716E,SHA256=99E3BF3452336BD8AED8A24D124AF9759CF6D174396B3DBF84F3C77CD826E48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:27.856{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62CC559CCF2B3788F28FF0404BD36483,SHA256=35064B99B6928E10FFC78F82B86852600A9F1AC582B6CD9D3084A0C241F74227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:27.528{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711DD8D9262FEE182770B9DD385C6268,SHA256=0A78A5555C60C39D227D0933E816B33D31223B7D0C5F6A255B2355C1D76F39A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612126Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:28.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C182416044FD92C5E892786B0867B5E,SHA256=2EEE01DB855950F1C83FBFF2280589ABA3DAB266C362E8AF46138A6451D2783F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:28.997{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B7C637B96A917DF87A6A12BED61AF42,SHA256=3EA6EDDFDDBAF02DE8D98C69020F7BB37D6CEB72FBFFDDE1C9807672220B96E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:28.544{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E59898620C60DB484A976190C3B84B,SHA256=0108837C27F1D13C2578253CD335719FC88FDD8601E965789315161039AF3245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612145Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89A739270141F56EA12BC891014875A,SHA256=4369AB7C945898974A656DDE53C41C3FD3A24482F2134A694BAAF13055FEFA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:29.560{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E25E9DE37E0F0C0C6E674F3C43099F,SHA256=00871D5E74F0078ED2A7A68A77E4A1F0DFED37E88B43B4473E43143457ABE913,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000612144Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.151{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000612143Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.136{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612142Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.136{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000612141Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.136{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000612140Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.120{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612139Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.120{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612138Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.120{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-F301-60B8-1C5B-00000000C501}3328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612137Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.120{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F301-60B8-1C5B-00000000C501}3328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612136Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.120{97C2ED32-F301-60B8-1C5B-00000000C501}33285148C:\Windows\system32\conhost.exe{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612135Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.105{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-F301-60B8-1C5B-00000000C501}3328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612134Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.105{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612133Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.105{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612132Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.105{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612131Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.105{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612130Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.105{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612129Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.105{97C2ED32-9D3E-60B6-7A08-00000000C501}33645612C:\Windows\system32\ServerManager.exe{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000612128Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.099{97C2ED32-F301-60B8-1B5B-00000000C501}1416C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000612127Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:29.058{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=999908319FEBD1F37408E80ABA66F03A,SHA256=FA4107A7AFEB5BCAA09D27E189C493829744CE01040601A2DA1CE672EA8AEED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:25.550{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58215-false10.0.1.12-8000- 23542300x8000000000000000612160Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212418183DA59E2E8670EEEC095FBFED,SHA256=8FAED6C324F39989A2B38ABBC29891D8FDDFBF7EC3ADA65F4604CBF0191B0CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:30.716{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5ABE95EBA9D6ED2BB7623E187605AE,SHA256=BD2D9778C7A075F0FCFFBAB67C4D8C2978F3378EED609BDD34EE58647455B4D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612159Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:27.997{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50847-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000612158Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:27.997{97C2ED32-F301-60B8-1B5B-00000000C501}1416<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50847-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 10341000x8000000000000000612157Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612156Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612155Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612154Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612153Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612152Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612151Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612150Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612149Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.167{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612148Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.105{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=340717FD4395CC92693256873CA7DE30,SHA256=24A15DE7AF44E014447F9F93E63FEF80E3BA4DA50D54EC9CF65B8B8CB4AACAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612147Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.105{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=40BFF2B46DC21986503A2E70C5F3C9DA,SHA256=BCBEAFAB4D44C966D8801CA11D028B6483DB7B9335A7CF59F3F366A6247C105B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612146Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:30.105{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF49FE5F2348F5C85E9BE4035E83C27D,SHA256=B56B96046341E02C73320DB4061DF8D14D9386D39368B988242A048CBA5593B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:30.247{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C316F6F1E8E48940F4B074310D8004F1,SHA256=CCB8C033E1E5F2A86DAAAFE5863436B8A08B4FD51E9A82BCC126ACD061DCEEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612162Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:31.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24B96957C3FA72CCAC9F429FDAC4D5B,SHA256=E785C6536E195EF94A0834BED9B160D985E9E8968675765E96FDAACF0BE17C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:31.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7152D0B7D971AF30439CED8FC7070C08,SHA256=25B2BF8FE6FD9F2990ABC355C2A8889F4E5ADB9C9369C9144D06A3442BC9096D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:31.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53879F092D19432FFCA06AB896A8F5F2,SHA256=5AA61B5FE01AFB5A122F7BE71AC2550F6BE941126DB3E5A287C916213DBCBDE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612161Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:28.917{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50848-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612163Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:32.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8949BB92F2C8E3FDAAEAE7B7BD4944E0,SHA256=3651651605A4913E8B6791C8BC93CF12790D22BE40ED362D1EC9551F1CD08875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:32.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7360C2018BFEB6ED01F44F4AC31079D3,SHA256=5CEE784BD53A4A950405F675F85AC77F2131B17F798F2ECCC942DE9550405650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:32.763{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21ABFBB5E49670072C6C5111097055C,SHA256=D3CB600DB6C144ABC08685B7662E73785DC86D03B79791FDEB2713A89DC6935D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:32.232{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=16068D44E66D2142CA3915E610D42798,SHA256=28E3D60A42F0372AAB9A280E7F900AAE8EBCA7E4CE1046C19F0C48F69FF7C56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612164Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:33.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEA58BDBE338B3029CC176C6D849715,SHA256=424ED68F540F7FB37CA984804D367F873690F9ED5B1AFA6CE2CCC28F1E00AB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:33.778{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57B59652362774952691C4C2FBEEF0B,SHA256=2950043C834000D351E4D08D4966ED0284B1CC85220090B804E63E14B92C934C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612165Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:34.854{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7B5F41749359FCDCE0EAC8B07CF0AA,SHA256=162C23B1A7C31135AC8A25DFD30C2628A5726ED40F0A5FE2EC02A331DE02CD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:34.794{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01031E918F259DA0ABD1FC351AC3500D,SHA256=58793DC7E3DBF151B0C312439F2000EB86FB38AE4E0E25F8204B9B884EA2D20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:34.060{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AD7E49288154401277C13EDA4683042,SHA256=4BFA7087B66413DB416060F56B91F9E094354A55EEDE03885D1A9DF310E1C94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612166Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:35.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C2645F247241FF8F07376DFC4AE8E5,SHA256=DA8C4D554F0A92947A78835C9C5A18067A9FEC93B7C20B9F03977F35802DE636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:35.794{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120B1D9E8D2D0E5B38FC25AAC86371B5,SHA256=5230DA03C66D7D21E0D196A3D743368D707835A4CAB990019199514BA157BDB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:30.644{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58216-false10.0.1.12-8000- 23542300x8000000000000000668300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:35.153{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2129320449C3CF76DF1C326576CBD32,SHA256=E96A55D8A9209EE3B3F12DE0402A04F25471A7B0F8525AD719FC1092158D5A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612170Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:36.870{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2C088081BAC3A73D59113B38C30B4D,SHA256=86A5666A3DA109D895F9F79C236B7B439ECEB6AD74F35F16B4848B7BC2632EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:36.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C601A1235FAD78D122D719FA36D169FB,SHA256=BCD7FBFD1747C2665F4243927AAFAE3413D6462B9A17BBB2A76EF31EF416AC4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612169Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:34.057{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50849-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612168Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:36.230{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE41C46A42BCC0D2E0AE4A0AC6D4A069,SHA256=BC55F085B69A0C9B6FB9509FDF644E50B69070D3C007350A3148205CD798627F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612167Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:36.230{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3CC10B67AE6D9E504B1D302897CD3B8,SHA256=467FFC38AC091FA8CB78C113A578F127973AF7E7CCED86208EBFFF9A9B7745FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:36.310{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CE9375E96B19954C4793C76400FAEB,SHA256=D0521FA725C4DEAC605BEE84460AC93DD56EB8E54B6367AB3CDFBFD345374A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612171Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:37.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2F87DD567B31B96987CE10A273E9F3,SHA256=786F464144B3D5E21550D4868661BF77E546E2B41ECCAE6BE0AE76F6F6AF92CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:37.857{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC4FC8D0CFB228CB44481AC13B55144,SHA256=2F20EA6283D7E8D529DF78BA0234F5801CB84423E86DDDF7BED0CEAEF8817702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:37.607{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D2660AF0E50AE9EB71BB183E759E94E,SHA256=CC973CE650F9F3116E36359477BD78EAEE8E0D1D879AB852E14F2C7679E4CA15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612172Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:38.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE99FB52B6B4590A25BE8F2B989C5D6,SHA256=BDDA73B4829897F3CD9982E5D704C1B99C01C59F29AEDD10D36BCDD6CA13BEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:38.872{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C780BA4E602AEB9FA06050901B8999,SHA256=A3CC7CD68EFF1257E5D563C758800073C43BAFA2A2FB4F81A738692DC3DD70D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:39.900{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7DE079192A4E6E770AC63A16F19FB9,SHA256=2A0943F81CB72AB56E416C369AC10BE5DA53A3D0E2D383279536BF54858FC9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612173Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:39.898{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB7E3281BF1C23B5494DD36B55E9799,SHA256=01EC4BC5EC140C4DE88C1D24F74DFB2A32DF33FEBDFD433480C45C8BFF391EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:39.044{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF492E37A14519AAFE7D312344763A61,SHA256=B7BC7C7ECDD5481F576A647622800B994E3F732D6BAAAFD38128312AC527C86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:40.931{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103B9ACF0D9C834EF370DE9089546635,SHA256=E8B3CCE3FAF40C2205F3419CAC1AC5168A0B0CB99017ACF0CE6C9BA7BBFCC2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612174Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:40.914{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293EA4033E82E8C4084688E6280AFCB1,SHA256=56A8958C2F8F7A82441C9193E86585D1C0A005FD9E1AE04FCAD16BFC6B91D1B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:36.565{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58217-false10.0.1.12-8000- 23542300x8000000000000000668310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:40.119{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8736C962AACACEB2D36CF1FF0413569,SHA256=D344A1C9451E3EB09EF914E8769F9F485CA6173F127DA5D52EDD0C261B922EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612175Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:41.914{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3424D85D45CA6C414A8A6183BC14834A,SHA256=E84E03399936AE4FD6C588594EF5554AED3309AC45330A2BFC95FCA9204E64C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:41.337{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637EEC42A50D81CDCBFE9C33E8F002E3,SHA256=111194F03242C63E9268B5A96E12962EC188603538EA1077F878AE854A7D2F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612178Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:42.929{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E0F54F07A7C54B505DAA0A419BE0A7,SHA256=932B8AFCBC864239C88D1EF9569E34CE0F551AF3D782B208491CEFB5557E6E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612177Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:42.117{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21FD4FF1691ED8427A251B55FF843FE9,SHA256=170EA76DE37F2A66E66933F64F0D0F81F633CF65D91FC96E2664A9CD2C79717F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612176Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:42.117{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE41C46A42BCC0D2E0AE4A0AC6D4A069,SHA256=BC55F085B69A0C9B6FB9509FDF644E50B69070D3C007350A3148205CD798627F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:42.447{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9BA14DF323D3E668092C016AB1E35E5,SHA256=DA3096FB4C87495B697476FA4BCC7753ABAD422AB6FA104360A0FC449D745444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:42.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5B50ECE205D51F3837AE0D9FD20AEB,SHA256=AE03770583C23F596BDD7C449B6B9D7034362E12107F9AA352A02D64E00B7C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612180Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:43.929{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDF4F737089130F7120AF57D1B1ADF4,SHA256=757C93C857294D4F9FDA8CA10337490D1CE766F7B6D345F40B54D3FEA54EBC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:43.603{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=829C8099AC6231868C43E5B1459D496D,SHA256=D7E9FB5655CBEFB35C3B717EAF88C6057E237C9535BFD43E0A5BC13983362718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:43.181{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F870BF3B76B127B239897B57A6FF739C,SHA256=CAB74A2D06703668B2E4EBC1D6F96CCDA26A3DE1A0FE76BED712A6F0EAED3764,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612179Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:39.898{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50850-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612181Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:44.945{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08C3327394DD6700FD5BFA4D5075DAF,SHA256=41CF9DB4CF848A26D01636AC502BAD3AB8286B1948D1A79391A2FF6C10CE4719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:44.884{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC08260ECFA338D4D999FCCE40B437D7,SHA256=8AE4CCA6234D4622EE0DFC7D71DCCC275EDBDB4F152EC8FA996770A99C771252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:44.212{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FF8B890F4B44FA8287DAA4E5166D7A,SHA256=0A30487464DA64ACC47CC9365B814D710DEDBAC9F061A4D1774205EC23FD8E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612182Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:45.960{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8385038DF7F4CB80928688D2CA85457F,SHA256=509A0C6F165216B36C1083B367D8E5009FE00CD68F5690EF29C23E3CE644B4B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:41.609{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58218-false10.0.1.12-8000- 23542300x8000000000000000668320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:45.228{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EFB7DE8D5E58C4500DAAD17711E9A4,SHA256=F6E0CB727A9F43800E0940D99181A286C129D037213E2F0946FCF914C7143727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612183Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:46.960{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C53DDC598DCA5C6B4F31692FF449675,SHA256=32B64E01A4DF075DE5B91BD0E93E2138E42A5B86D43193C3DD04B35983D51393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:46.244{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01023C9C3A455C62380E20B6F3BC91D6,SHA256=B30F5E5A9A1CE4F91A4820A676B74C625CB0D8120EA92FDD96B3F7BEA434D940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:46.119{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=562A6B457655CBE6AFFAF257D6889DB4,SHA256=6F824AB6160469DFED11BFBF8AEFE886078520DB778BC86BD582B9531F6BAE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612186Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:47.961{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE73D8B744D0D6969A85D801C4CFFB8,SHA256=C65AD7116E5317D0F32281C804DAEA8D8D01FF26E9CF26E7F82E06B6CD9EB95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:47.462{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=900B6F82A10938C078AD1D84FE3EE8D4,SHA256=6E2CF8F6BAC295B6A736FE7D2E165BF4DD2925E928D397E974979A52586034A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:47.275{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2965F22C46022FE0644E76364DC1D8,SHA256=18AF1B3461B93A93586A34DD54A4509D2ECCB433C250129A508F97C84B2E3D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612185Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:47.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD21077B7CA4F9AAFE944D381AA0232A,SHA256=F996B533D710A6F7C2C24770B49C98E7D9932DCD5A86D784A732D5D7BB4512E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612184Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:47.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21FD4FF1691ED8427A251B55FF843FE9,SHA256=170EA76DE37F2A66E66933F64F0D0F81F633CF65D91FC96E2664A9CD2C79717F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612197Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.976{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E233B59FD950F9673C63C8FE5FC795CB,SHA256=2DDB09B169F2BEEEB1D9AC21A34F0C0617342EA9590F3E73C98004473B66C557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:48.603{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49AF8F2068A1E62B30F282733FA05BE4,SHA256=64C377E4A8B95C795C55E9449EAA6BB343BF75BB28F1083F08A9226805F71B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:48.509{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785F786DBBC28A7CABECEF2DA1EA8522,SHA256=9C6B689E21230F7127721011D59091D8456872E08A5644A1B141E5BBAF4AD0B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612196Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.820{97C2ED32-F314-60B8-1D5B-00000000C501}49921424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000612195Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:45.007{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50851-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000612194Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.679{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F314-60B8-1D5B-00000000C501}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612193Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.679{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612192Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.679{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612191Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.679{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612190Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.679{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612189Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.679{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F314-60B8-1D5B-00000000C501}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612188Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.679{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F314-60B8-1D5B-00000000C501}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612187Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:48.680{97C2ED32-F314-60B8-1D5B-00000000C501}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612208Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.992{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100DD4B6E5776C28F8750461F1472147,SHA256=94FDF80651E0F9D510846136F311349E55EE83F364FBBC2143260FE205C7A159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:49.759{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BBDD7D660FC3A0659584DAAFBBAD7D7,SHA256=8BE48CBE947EAA1F0506C90D86546141FB6D935B6F19F20D27FB41E04E6A54FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:49.556{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BE0B6A8042406DBA57F2F4D2D37103,SHA256=920741D423DC8D7727FE790246DF96075C47F96E87F3E10E120D5B09B473962C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612207Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD21077B7CA4F9AAFE944D381AA0232A,SHA256=F996B533D710A6F7C2C24770B49C98E7D9932DCD5A86D784A732D5D7BB4512E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612206Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.476{97C2ED32-F315-60B8-1E5B-00000000C501}55244608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612205Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.351{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F315-60B8-1E5B-00000000C501}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612204Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.351{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612203Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.351{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612202Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.351{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612201Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.351{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612200Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.351{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F315-60B8-1E5B-00000000C501}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612199Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.351{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F315-60B8-1E5B-00000000C501}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612198Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:49.352{97C2ED32-F315-60B8-1E5B-00000000C501}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612226Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.992{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF749ED60F6ABF0709FEE9737E46B423,SHA256=94A54A26897942D88C11E79810C72AA7CE4ED46518CF7D743D4B571725B97FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:50.900{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=229FD583AC7C024C772C862BBDCD2638,SHA256=3B058461BDF18450E1B909C476E09E022E25996562874A3CB77A81047220E8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:50.572{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3991C2BA9DD9E79C7C6A57D517DFE2,SHA256=B61E053EEC71E7B2B04AEC2C55B0A78CB387DACFA1F25578085FB1F8D14D4AAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612225Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.710{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F316-60B8-205B-00000000C501}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612224Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.710{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612223Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.710{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612222Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.710{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612221Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.710{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612220Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.710{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F316-60B8-205B-00000000C501}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612219Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.710{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F316-60B8-205B-00000000C501}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612218Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.711{97C2ED32-F316-60B8-205B-00000000C501}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000612217Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.179{97C2ED32-F316-60B8-1F5B-00000000C501}3445640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612216Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.039{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F316-60B8-1F5B-00000000C501}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612215Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.039{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612214Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.039{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612213Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.039{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612212Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.039{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612211Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.023{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F316-60B8-1F5B-00000000C501}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612210Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.023{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F316-60B8-1F5B-00000000C501}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612209Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.023{97C2ED32-F316-60B8-1F5B-00000000C501}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000668333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:47.577{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58219-false10.0.1.12-8000- 23542300x8000000000000000668332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:51.619{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B514F5A262EF69ACF69D09F5AD89FB94,SHA256=36EB991E3D4DD4352FFB075F3ABC4BFD435F167B56AEA25593517F5B2A4B1F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612243Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.882{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F317-60B8-225B-00000000C501}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612242Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.882{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612241Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.882{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612240Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.882{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612239Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.882{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612238Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.882{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F317-60B8-225B-00000000C501}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612237Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.882{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F317-60B8-225B-00000000C501}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612236Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.883{97C2ED32-F317-60B8-225B-00000000C501}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000612235Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.210{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F317-60B8-215B-00000000C501}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612234Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.210{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612233Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.210{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612232Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.210{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612231Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.210{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612230Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.210{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F317-60B8-215B-00000000C501}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612229Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.210{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F317-60B8-215B-00000000C501}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612228Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.212{97C2ED32-F317-60B8-215B-00000000C501}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612227Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:51.039{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C5433BADEA3E39CDF9D14CA9B77D47,SHA256=5E9B3FC9B8B916F1CBB444E113B46BD876610757212A508123CA570860468921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:52.744{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027469A7B69B777F998D562F4E54B3F1,SHA256=36A92D5546C58F0D6F36178A55ADE84F4D5201ECB1FAFCBDD0BC1CD15A8E90B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612254Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.695{97C2ED32-F318-60B8-235B-00000000C501}59041408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612253Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.554{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F318-60B8-235B-00000000C501}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612252Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.554{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612251Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.554{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612250Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.554{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612249Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.554{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612248Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.554{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F318-60B8-235B-00000000C501}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612247Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.554{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F318-60B8-235B-00000000C501}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612246Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.555{97C2ED32-F318-60B8-235B-00000000C501}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612245Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C464A90E813748EA8464E6B4C0F1998,SHA256=DE3B8899ECEBBBB8AAA4EF7D15371AE0A924E55904C4CA4247A8134E92502AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612244Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:52.007{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB19D6B125F6B59CEEA4F487B0C6014C,SHA256=DFDBDF3E677571A7C4636525133CA559FAAEC8E357B5F2F4FCA2142759B03B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:52.025{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B298DB7A5F1E4AEB48E2D3A047EBD33,SHA256=7B7DADACFAC4C24011CA9BE7ACAEF923B3427B4C38604D266970C952B064C0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:53.759{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA8BE2869B03BA4A9431F21A9D9D92D,SHA256=3E9C26501C0AF60A191FFB38E56EDC0B3F7266FF5A8A8980373C50F1A53E59BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612256Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:53.554{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B269A00CAA1944A3FCB7495458B1F4D,SHA256=C8F3ABDE458C598B1CED0E4133B1EEF1ECC09CB244BB74CA3C1E22B2C6CD7186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612255Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:53.007{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A9CF0B2EE67B3B2B25B837BE4B94C1,SHA256=96A1AA39F0942DAAB32CCA463B8DC4C378BAD6D35D45472EEDD02B132BD790F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:53.275{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70964803412A03F8DA9E8BD69F5483A8,SHA256=3ABD0A94CB7715E2AC99234411FDAF92C16474606ECDC80E1CCA2360278CEEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:54.775{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81A0D3122786F5E6645C25233EE8188,SHA256=EBD927BB216AA5BC72603206986C3141C66DAE7522703FC2EC9E28B14F93F759,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612258Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:50.882{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50852-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612257Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:54.007{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4446AF2E666AEDDC9362300BF6C09CD9,SHA256=19C7F65FF8CAD22B018590A0FC6DB40ECD3DF64AE0D700CD494411DED01DA45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:54.634{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA8EE7AD16C1D8A27E3DF70647209FC3,SHA256=8CCDC2436DA972B49B91EB8A89BA5326CA0734010B6C5A30BFEAFEA7397C93EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:55.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26120E3A343910D4019CD860D0FDD26D,SHA256=353ED4F85D70F7CD43F6E733B7E7925C1AEB37CCB5899AFB89FCC8FEC83A10FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612259Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:55.023{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9774281B53EB55CB33FD1F75D4D292ED,SHA256=65235A0841758E5EDEC4E5A6990A1DB72BD1560DDBB8BEBFDC8D5F54EC65BFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:56.931{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546FB4A57E1EE6C6971CFD865DCB4352,SHA256=A68EF9B3433121341B9CB77F32ECA4A42F8C95365F9E50C678A8D37A5B16BDF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:52.640{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58220-false10.0.1.12-8000- 23542300x8000000000000000668341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:56.103{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06A2F20218659653A9F069134BA4384F,SHA256=1B3615A0E42A3455EA64042A53CC9DF13D637A82EB5600D335B191E8F6FEFAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612260Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:56.023{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88032D40A5B5AB3DA2A54D8BADBE8C05,SHA256=449B27EBAF93506C7EEE1E49905B7BE09973A1C08E44C3C99BF972E92A33D03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:57.947{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEAF05E1BB263231F19CC7DC49582F2,SHA256=3802323ADD98E35C4FA5EC2D3A240BDF07587E130931BD7958E447BA97F9E05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:57.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F0ECB35C9628CD7716C696F9A874085,SHA256=3A633436B0D9D68E40DFB05D6F4F4565F1E68A3E860AEEE290A6379EB6CC3931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612261Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:57.039{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E874607907C9C6711D43AB7770961E0,SHA256=830B443BA59F03BE10AB08B8D3B009C7740E6D0E06BBD44DCDBE5F03B4C14C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:58.962{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA1461436AAF63ACE47ECF1525CFD61,SHA256=A6C1EB17AB40AFF15F968A6AD463A70ACF8AD278D1241C9A77C4C6F8A11EEAF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612264Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:55.929{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50853-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612263Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:58.148{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3927BD3185A4451EC38F8317237BE3F9,SHA256=859A908972DC4FBCBE4CEC3C714DD659F4C983A1CE101429C7D73FE76D579A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612262Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:58.039{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7ED40A9244EAAAA3C9FE858694F0894,SHA256=8211DAE5F19D9B557C3A26C36CA9D9BCC479D90D089AF4A9A2BD7DE9043CAD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:58.275{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=516CC7302C42FA36669DA274823AF835,SHA256=53DE27DD0E04F0A15721313E6E75CE898E275EB3B4B929663CF28D421D393CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:59.970{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F897EE2D4BE2992432ABBD2700F0625,SHA256=947A2CD5D36F9AB54D0888FA3C75E63BF1CBB8299568D41C933E529849476C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612266Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:59.228{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612265Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:59.040{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5069E4C55D1933FA607D863890A1009,SHA256=CAB9DEA02F163B5A4F83C9C007B15F4E9EF41760555FB8BCB8C9F497FF7FB59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:59.455{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A9FCDB53C0F48444EE817DEE98A8A72,SHA256=42EF3BABB801222967AF0A027C6FC136317CC3AAD91A4699AA64354DDE857329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:00.986{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596E23B808C5E1FD56A1586D7FA1FBC7,SHA256=4F2F9AE6E7895BBA9043B86DD9D39FA8EC1675F677D4CCD20CAE20D5DB35947C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:00.736{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=386956C6C2723E0C478FB028C9B6C6C7,SHA256=FD39A75D646BF259E30F0BA2BD92C53067B14A6DD3F4D287EF6CFF5EAA8EA182,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612269Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:19:58.057{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50854-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000612268Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:00.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=079B79B12E81AEA33CC2FEA7604E5011,SHA256=CFB2225C6DEE5ECB3FAFCE010276019936439F61BCD7D1EB6D68E242BA0335F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612267Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:00.046{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC95365AA5DC2F4C3EACF6BCEF1BEFE,SHA256=F5D1C93B3A4AE3F945717831AAB593D706B5EADFE8EB16E16F1A7DD8A7222F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612270Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:01.049{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494179574DFCD427D6BA5555FFFD74A6,SHA256=95ECF9CB1BD522E61A398B948318123B5C1485DC9364EEC86F6468592D3ACC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:02.206{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:02.206{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95392AFCA6F9D10FF9F6EEFB4B7D761,SHA256=087DDF9CF6D75054BD458F107CA8B94CD69DB7C1443B31F0F5AC85F5754F4DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612272Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:02.424{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8747573F46AA19EC3EF2620A782727B9,SHA256=B37713C294FC23F52F786854FC9A067FD45349DE09090A5091A7B5A77327F5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612271Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:02.064{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EE454D035161E8FE949CD663D049AF,SHA256=A608025F184E3797505CECB212DC703722DB0428F73ECC76CDE9BF802B48296B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:02.159{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=564B738554E41D3E0258D343E2B2AA30,SHA256=6A3BA290F20EAC386881A8CCCE2EE3A3D4B418A0AC469E384FA8E4BE8C175D8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:57.663{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58221-false10.0.1.12-8000- 23542300x8000000000000000668357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:03.234{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD3FFB26CC201D27E121BB7210A0F4F,SHA256=D6ED2F2D4F7511DB5908A78CD5399AF4E7421873E9A8B269937CDD8507FA4FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:03.218{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB4F88BEF77DEB9CECB9C02B8CB1CC8,SHA256=79B968463E4222C4B71328681BC21D61AF9A6F97C71D97D5B3D4E52307706136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612273Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:03.080{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BB8F013E450B658FF821F1548450DC,SHA256=D624653DDDC2E82011A9E613DF385876DB76C983C3A9A2CE273D4DAF475ACFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:04.456{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C86ED9FB989C7C0DF3D7B27B68D249,SHA256=DB2972CF8D10EFB4907A585ED58AFDBB36C2BEAB9971EB452896C287F4F6EC77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:19:59.649{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58222-false10.0.1.12-8089- 23542300x8000000000000000668358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:04.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE9AB1A2E746C7E4743B272FC59047A,SHA256=DCEA1491978D1A878008DD18250CAAEAEE3E539EF5ECC61CB1CF633E98D2B102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612275Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:04.080{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79FA47109788E5D89E4B0C578585F66,SHA256=C30A5ED3A884C93D385BB929E9593E5442CDD349A155BC76C0BC8B42DA507E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612274Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:04.033{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E91EC91704B5DD3E9B8934A2F32DC2CF,SHA256=6DD110FDD406D24315824B48832B28D197D8565D54CE37DEA36340B9422CC56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:05.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6CFAC40FA224F1E94CBAA65854B65D,SHA256=9D9B02E6268CD4B7D7969E2EB522A0E8DE9632D0DAAAF15DB4BB868DE0CED1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:05.284{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DF6A96366F063B4013AE320692E5DD,SHA256=EE6A8E3130299206B070B5C22E60EF953011AF27C6BEA4A04F106CBC33789976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612277Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:05.080{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4BCFFC30CA28EA9F9DC2A02EF691FF,SHA256=748EC1477EB0D80BA37EE72942BED2332DD54BCD832C6471922F958CD7ECAC6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612276Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:01.877{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50855-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:06.737{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=240FC25910B9E1FAC1A860396E347C1D,SHA256=042B5785192BDE911222F99F9C0F371421D43B77E40B41D64C8CA66586A01CC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:02.462{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58223-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000668364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:02.462{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58223-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000668363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:06.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616C8F5D94C12263D1F49B1D2BD384BD,SHA256=E8375F53696DE1CF8993C4C2BCC003FBA14D6C2870BB0E292FB939D199B12A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612278Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:06.080{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14564A122E9520744A9670EC03D419CF,SHA256=731303E827D4711818958D3910E68501A1414CB9FB8682ACE8E848E091CF90D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:07.080{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDB34330909721BFC378A335762FD01,SHA256=B656FF34DFA754660850BDAC589E5419C15D99498E0782F306664723CBF23E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:07.972{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F8A64702C11A78A406B1B43BFFB78A,SHA256=CD1B05EE57EC10057EA4F0ADFC4C840CCCF0133D4D57A9F53FDA35BE482407A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:07.347{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC49543FC4BE63A2EF1D694742380CF7,SHA256=913FFFF25E1BF29947AC9B3C7256426AE156552052ADEDE6AA4832B4D4880B5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:03.649{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58224-false10.0.1.12-8000- 23542300x8000000000000000668369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:08.378{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E4E4D28C3EF73A9DAD53F6871E8964,SHA256=7BD4CA0E8E79D2BC1B8B1C4F10DD7587277552DCB30C1CCE50B0785ED83E25CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:08.080{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C3DBDC199D14A184C1C1F0A3DCFA7E,SHA256=2130F889B91A3D129041606407C7C4B2C69E29D357A173C89C2318FEBB6298FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:09.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8827A08617B822DC56542DEF3CFDB999,SHA256=95CAD84791D6C05C87B9196BB1C42DCC75176C39C3F9F7BD413182370370D5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:09.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=121D157BA84293E7616347CDDD1A424E,SHA256=705DCF64E35689B8A4DEA83BC420B9F564953D0510074788F981BBDF3C3A7C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:09.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B69267454FC9A44479E271B9FB8E0E36,SHA256=72EC82BF0B46F4009C80A0427E0D8AF38389D5F9336FC4B66066C92F7ABC4D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:09.095{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9820600F022BF0076C08E95AF51A919,SHA256=416A522469F8602A480CEF7E67ECB9469302A62CA8A14C88AEB1911974F85FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:09.393{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B756EA9BC6ADD6418242C6CC3FF75959,SHA256=6DF0EF5A5EE205572CCE92F9D38B4E9376E4AE44B0373062D627290BD5E4F09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:10.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79BDDF4516A2033FC73A362929684B41,SHA256=58DBB3222D6E6EE9E3A1F5E837CE95775917A6021C5F1100E9F41072CE5EB6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:10.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6828930BBA483595B902EAFA720BEC,SHA256=BD63DD9D3000093361968485767972310342749CBADD6AB91054C7BC080ED385,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:06.971{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50856-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:10.159{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F036FCDF92CC52098D8AC87046838142,SHA256=5F8310DABA2E15DA45DB7347C2F1D5B80ABD2E4B665226F1DAE76CEDF2624DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:11.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D581E4E3557E97717C18CAEFC730CBC,SHA256=E8BAF24B624505286D86CAE6CC7639A0CEE616296E8AB403F06B71AFEBC07C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:11.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD39337766E071DA6C95774C8F5CC261,SHA256=42152476D0724C0BF98D442A01F1C181C117CE4DE1E89BC2FA9892CB9A2A98F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:11.189{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2AD38B5023D5ABE6A449CCA1EE5B66,SHA256=FC1CD087190574F5B93B2DCF68D6ADE148D0597B0997EE140D51B09BEE65697E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:12.878{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C040C77CDC60F7040755A200ADC195B,SHA256=905122D972C3AE9D98D9D4CCF46B3194C72B4201FFEDE4F93A70F85794A2B4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:12.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23950648977E47DFEDE60FF348F69C89,SHA256=56316ADCD8717A3D107742CF4886C73FB26DF91906BECE782383030EBA2D7A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:12.189{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848279A56663FC272328437827F55F1E,SHA256=0957315F4146B497F593CC1C8676868B41B8F38B9E2DE272DAFBA15F91A4124A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:08.680{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58225-false10.0.1.12-8000- 23542300x8000000000000000668380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:13.597{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FF721FA29DDC2B6B66F675A5FC431D,SHA256=5A39649A4E05A25B00357BCC33F2467CCD6D657866ABF2A6063A6873F5EE6F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:13.189{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FD06A9128629F24B478690E188F267,SHA256=EE76A64CB6199522A0C7759FA4F30EE5BDF68995DA0724B09C2DD62DE5F8C033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.753{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F32E-60B8-EB50-00000000C401}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.737{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.737{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.737{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F32E-60B8-EB50-00000000C401}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.737{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.737{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.737{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F32E-60B8-EB50-00000000C401}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.738{D419E45B-F32E-60B8-EB50-00000000C401}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.628{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95669A58FF428616C332374CE9A565D8,SHA256=7020486F788B81DB7F18564921970DEBEE8254B23D60EA5EFE9FE40287AB0D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:14.220{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6DAB792A45F2C4E3DADD946BFE6212,SHA256=198BA5D17B1715E2E1D880D37922E729B961044ED6A1C9FF42C5760F6132D42B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.269{D419E45B-F32E-60B8-EA50-00000000C401}50765944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.065{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F32E-60B8-EA50-00000000C401}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.065{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.065{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.065{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.065{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.065{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F32E-60B8-EA50-00000000C401}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.065{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F32E-60B8-EA50-00000000C401}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.050{D419E45B-F32E-60B8-EA50-00000000C401}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.003{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BED1B2B661C493E83D6746E66CE3F57,SHA256=73D502F279AF65A506A27932218CF973B8A42BD85CDC5214E3B0FFF22CC25D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:14.142{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=121D157BA84293E7616347CDDD1A424E,SHA256=705DCF64E35689B8A4DEA83BC420B9F564953D0510074788F981BBDF3C3A7C19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.878{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F32F-60B8-ED50-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.878{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.878{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.878{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.878{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.878{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F32F-60B8-ED50-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.878{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F32F-60B8-ED50-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.879{D419E45B-F32F-60B8-ED50-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60903CE226EFD790F3D2E17D91BEC7C4,SHA256=7004FBD678FC9E52DA27C66AC913402A08F1F223173F9003CC2C660420F62E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:15.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FCA7FAE452AF51B83FB0E146C2F79F,SHA256=471B0D3EF21001399C27E5544E2CE2240EDE4C870412AA75B7001B445F8C7A95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.393{D419E45B-F32F-60B8-EC50-00000000C401}60166700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.253{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F32F-60B8-EC50-00000000C401}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.237{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.237{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.237{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.237{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.237{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F32F-60B8-EC50-00000000C401}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.237{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F32F-60B8-EC50-00000000C401}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.238{D419E45B-F32F-60B8-EC50-00000000C401}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:15.190{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF2BAB3EDA1180CFB43B6405590E39C,SHA256=009FE494E2DC7B2EAE0287241EBE4840356B8537A0DC79B1D49285D96BCD1378,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:11.986{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50857-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000668437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.893{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F330-60B8-EF50-00000000C401}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.893{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.893{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.893{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.893{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.893{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F330-60B8-EF50-00000000C401}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.893{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F330-60B8-EF50-00000000C401}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.879{D419E45B-F330-60B8-EF50-00000000C401}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2652A3E4C199384125639FF5233090,SHA256=FEEC4734DABEF87FDAC156CDA53BE6C4BCA58A3EF35453B971FA3A9F49CC4D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:16.283{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCBD564B29A2B7FEDFDFCA340A2392A,SHA256=2718BA558632FF70C13F054D6D090298C5798BBE649A725231D9154C9FE4285B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.503{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83736931372A8D7B313DBBAE44824298,SHA256=87FAAAE0418A2E140552D115E10F2B7F58D03504511A2F52D24C5F4414E925C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.378{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F330-60B8-EE50-00000000C401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.378{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.378{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.378{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.378{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.378{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F330-60B8-EE50-00000000C401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.378{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F330-60B8-EE50-00000000C401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.379{D419E45B-F330-60B8-EE50-00000000C401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000668419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:16.081{D419E45B-F32F-60B8-ED50-00000000C401}55645180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.878{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=703B5B2CFD3DFDAC80D81C6B7F472C3D,SHA256=1ADEE96FDADA9E37CF6E930425AD2773C663FE7E42546A9CAA10B181EA8587DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.878{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE8F5852FA06A42ACB55480C8869058,SHA256=FDD90A0DEA66424D0509BA6BA00D7FF943ACE74FBD2ED6AA65926BC99DC6F0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:17.283{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE13182B145F692A0C6F9171C8C6996,SHA256=C3DE34EB53655630D8CEDD7D373410026F5BCF3F0D4B73B8D763030638B195E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.565{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F331-60B8-F050-00000000C401}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.565{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.565{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.565{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.565{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.565{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F331-60B8-F050-00000000C401}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.565{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F331-60B8-F050-00000000C401}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.566{D419E45B-F331-60B8-F050-00000000C401}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000668438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:17.112{D419E45B-F330-60B8-EF50-00000000C401}70643204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:18.314{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6EF0B6351D2F64BED63FE290D6F2F3,SHA256=B52DC1DFCA3601DBC2E9E08283FBC2B2D78E20CB6B34F632BFF1A8613755793F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:14.633{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58226-false10.0.1.12-8000- 23542300x8000000000000000612298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:19.330{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB51938217E0E5540E9913F2D974E0AE,SHA256=9003D99864A2E045DB9738BC9884AC0C215F1986137E3EE837A7F9A2CBC1C6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:19.018{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CAE8488184BE607D41E07D2634A76EA,SHA256=3B46A2823417BD890836313B8FFF8B6DD9414BD9A45069BC7C8E7A1F09B43E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:19.018{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C23B7CA83C1DCF769745004702D39FA,SHA256=F0DCD2BFD1027A0D995B9ECA39197B6597C746C00B537965C6A4217DD06B2010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:19.142{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10D73D784F63A4486C8B16BB9ABD7F4B,SHA256=1C784F6F510DF4BE6484B5B20DD2C36AD6E5435548823CD5FCE5F2F6FBC10FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:19.142{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A3D4990ED1A71D3C2A8075D19BD93DD,SHA256=7738F00D8E10133D83A357B0CA1530D1A616C35414D68B3020A96D835ECE3516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:20.363{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892B113170C43DF6BFC866B25999A026,SHA256=555C21783CA31D3D0E9D8218CD207823828621A438040A459DE2F87FF5516026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:20.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F61CCAE54220213E49CC05426B033CC,SHA256=E27624F7FB06F100584E46D3CE7C168BE52AC995A1F7BDAFEE4EE5B5350FB488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:20.021{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0993A5A3D75E565F95D959CECAE8FAF3,SHA256=ADB33DFF7AD94AA1595977B9177B664ED2DAB80EA32EFEECF491CCC298458F27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:16.987{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50858-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:21.459{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C46D058FEA6B84B4CB8DD04976B0BE1B,SHA256=CB75C2B3203A13DC3FFBE6A259FD4DE4A977AF3A0B6FF43C68558177F4625AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:21.068{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A087AF06E85B79F46C7C5C993D408405,SHA256=34BBA92E8A190AB5698769C75986EA4A1A7D788F77D40379A50CEE1C86610AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:21.378{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D9103BB33E7D6B9BD7F72CC9982EDB,SHA256=1ABC74723657A077A7CF3D4390170DA70B5AE9FDFD3E649C9D9EAF569605E05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:22.379{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008EF4DE6F53407037A301FF807C775E,SHA256=D358C9B9FBA590357145ABCF6F52591CB9F10D1088C8E63D0EA7764744B3EC80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:22.599{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51AC04716171F56B474AED540817A5C1,SHA256=4E3D8C9820DE7E5DF2E34B1EDD0B0AD845E9D8746E44E55E65E4F08F4AF887FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:22.177{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC29E1985F5E5F24D849E918ADDE42C,SHA256=400B75BA0613A6F98E0CBC669EC203C1FA657CBD3E9CFF1251F517432BC22333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:23.410{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2510719D4B89A7282726CA20A304345,SHA256=118C32DAFEDFC18697C976ADAD218332DE7AECDF31225CDB6C3B819267415E94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:19.714{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58227-false10.0.1.12-8000- 23542300x8000000000000000668459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:23.631{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=002194F3C38E48D7E27D1102138940A6,SHA256=46DB382EAC552570893C5B5F6E8FD550C5BCA7BFE5D24B2C52F65765BD18529C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:23.209{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6ACA619C2A7D2E49B826689AB39905,SHA256=DEDA9DCE6DA3A3BF931025768FF94EF59DD21CD3AA02276431CA9B7C5653D49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:24.457{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B2CB7FC6D8E5A626ED617E36A862B40,SHA256=B1FC76D19C2DEF81BABD0BEFA44160092F2287E49CF71D3713A01D3334222323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:24.457{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10D73D784F63A4486C8B16BB9ABD7F4B,SHA256=1C784F6F510DF4BE6484B5B20DD2C36AD6E5435548823CD5FCE5F2F6FBC10FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:24.410{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E5081995C23395E1959D3F77725FB1,SHA256=14C28CAD99332013BE4947FF24C9862F039C0CB7FCCE02C9A7B57664ADC7E1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:24.881{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A55EE247E35484A5F928CD7EA275296,SHA256=EA84C76C75A65F830305A616438BE4D6478990760608ED23173D131C73F879DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:24.412{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C1275A26951EF57DE312A392A4A689,SHA256=8C6E280BEF8791AE0CDAA810EF74EE2DEA265769E2A6A481CC7001AA03146B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:25.427{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF5219A93779E4496710AAA5FC8DB17,SHA256=1D241B505CE9C5FD776F6FF3127B2BD176DBEA013562063A3C8C774DAD5B8FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:25.425{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F750A23CFBDDF8ECEB24856D4D970D7D,SHA256=718B9D536C7749490F819A656379B9F717B42F093AB2E3B285BEFA4C9A242CA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:22.066{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50859-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:26.443{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9403B919FC412965F0A24B9492FC0ECE,SHA256=2FA5114C9943F9BC207AE8480780086665DD440F6FBB37A7146A597A535D6A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:26.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9385F883FCE3BB9DC0ABD81F7C7A67F5,SHA256=EE65BF11004B6D5773A2A4040A3F71D2A5CB632C6261680F614BE1B516D06F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:26.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95DA8F362A56925225B921F5BEE19EF2,SHA256=D0F9DBD93B76F182089239EA73F1300E1AF7BDEF6F09BC4D6BE0F7F21584B48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:27.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE15E80D43B0AE275D52C5B7306508E,SHA256=FBB1D92C3AEE44CA3663CA3223D79FE2BA666B195570A8E2A53CB7130E1053F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:27.521{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9416159EBF32D9D5077D9CA91216FB,SHA256=0ECEDD6DBDB9002AD21543DA85662FB3EE1557C11942A528D0C6C62FB43BA2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:27.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E2C6581CA02F517ECD5AAC0568FE61,SHA256=09EB7B95163133FF4C6EC9A6C83BD4246B51A1585EC246311F0C91AF47B355AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:28.771{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5C3BCDBE638F4FE443BAD6AFB4A1315,SHA256=316104DD0D32D98A2615277C739AD1E5EFE68652C0FBD27714D7F053C00ECF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:28.537{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF81159D707F4236B4AC1C2EEFA7E6D7,SHA256=FFE099F28BC891FD24F66AAFB225910CE5471E0C7FB2C3B307337A3FB1E8B27E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:28.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F78C24E2C59884AEEB5C95E1DA1FA31,SHA256=781B0BB66934241761DE21F3E2C882D6262A8C118E9089AE8E8723B20E2F7308,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:25.636{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58228-false10.0.1.12-8000- 23542300x8000000000000000668470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:29.599{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512AF99B35E4257F5B2A2835CAD25935,SHA256=2E16067430E7A99C41A8E1E9A4F10ABBC4B314EDBBEC4E96C123DD695FEDD2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:29.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15E0526D8EE80331862FF42DA1C4FCB,SHA256=DB5F6DA0451C2AC128CBE6005AD06AB66D35058E7CFD5FB17EF888B4740EB8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:29.129{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9b49d37.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:30.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DFDCC561C63A45E2E75DC7A34173BA8F,SHA256=803B4F18EE5404A7A478BFF53A72F8A8BFDF64A1013DC29A643C7B7384794C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:30.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26361DE2198130E31A452665E12DE336,SHA256=64EEBAECCE88DFD24D9056683F099CA8E189C8D8F7E17892411F80D643A57586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:30.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=40BFF2B46DC21986503A2E70C5F3C9DA,SHA256=BCBEAFAB4D44C966D8801CA11D028B6483DB7B9335A7CF59F3F366A6247C105B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:30.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DC5BE9D9CCE1C1F1BD8DFB9425CC78,SHA256=4D0167DB2BB93B66FF59E2150F058BF473E85D9494F60CB5BFF982B112D89941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:30.099{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5A3BFDF1C22C5CC1BD00CC56FDC641C,SHA256=5EAF5CF8B92343500A135D5675DE128D78B22642332AB1D2CAAD2A12DA19069D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:28.035{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50860-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:30.175{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E972E2BB475A1D842961AE152E7E59A,SHA256=B4C6AF864B8AA467BEB563F5F0CC6C4D8038860F514870A6BD2F539E488092DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:30.175{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B2CB7FC6D8E5A626ED617E36A862B40,SHA256=B1FC76D19C2DEF81BABD0BEFA44160092F2287E49CF71D3713A01D3334222323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:31.660{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0B3747BFCB8781D03D9115175E417E,SHA256=44F0DD71E293C260D904D26E1D1EC4D8CF80CDEB636609F92517D30A4ECA27AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:31.677{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10F931E23F46F2FF911D335BC522EFF,SHA256=E85006E1ED6E2DF9290EF5385F50C6B744B4B1811807A9F031C81BC9115703B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:31.115{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B22E33F4B04F57CC802A116D024B446D,SHA256=E24A5158476DD39A17321E3CC9FCE050EAC0E19CE1530B69D0CC7D57B62CCC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:32.660{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBAFE2FF2D2884BAD76C051422D8581,SHA256=622929CA9AFF33443776C1CC9DDD8FDBD2ED3225C546C6B0216E7429F61EF61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:32.834{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D80F9D4AD9FED548DBE7F10868536A,SHA256=502BD67FB0D436C36B4FF5B3446BB8D58215633DFC8DBA5FBF5B571E23799616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:32.381{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=976A108A67D6466E49920D42B870CB3F,SHA256=711526408F2486DE02457F4C2BD5B916E2A1B81562743E3D71323FB9B34399BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:32.240{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8779C3E850FE7045ACC6492626A6DBCF,SHA256=6114040686BDE2FA867769EA0D4AE0309D8580BB83BF2D41EDF54B7B62095DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:33.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1CE24BC1CD840C50EF5EFDBF528DD5,SHA256=EC45DF562F65854EBD6171C697914365FCB8361F85EAAB0417499D9E077FD9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:33.675{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536175B1B16E9A0CC438FAD9D124FC43,SHA256=702BA2BFC872392871535CDA885A37B3492DE1F44A67A6CC1BC318723B8C8784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:34.881{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA79A8DCD95556A9BB388F6CB4A272E5,SHA256=712B890BB91797215718BD2372BD5DB58CE8BE8EBA2785A4A4F1576303D2B4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:34.675{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29252F5D43B4449E70A47FD2ED228389,SHA256=E99674F831B698FCEE1716E4EDDF1C75CB3635B656499875A5958BD195CEC5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:34.084{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCE491EDD8BA61B35A29FC1BEA611BAD,SHA256=79E77A25B89458C5F045F97099A262D5CF8B2C50996C9C4BE271A5FAB0E4C1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:35.896{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFE08689B9C42BEC76313A0B9CD1CCD,SHA256=5D34F696F8E3DC00D6CF3024890A21E68886EA3F864F253FC7731A80A14A6C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:35.691{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E18EC7F6024F6355D6B32428596E935,SHA256=A034FC2B7C081E1D0AC8E13F7E5F8F615ACA25FE0E0ED9810DC01F2BDB2BEF24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:35.115{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=843657C70078154C3231958FACD8FA72,SHA256=E91FBA87E3C8B79D77F8958E5F05A367F47E5DAE15391023A5DB0D28D3728156,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:30.667{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58229-false10.0.1.12-8000- 23542300x8000000000000000668486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:36.912{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2BDB2D0E74BE0B167E5C5CB81110CE,SHA256=451E01A394E5116C36BB8DEF4C51EC87B4C23525A7E1A16DFE6AB5461B7E4E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:36.691{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AEC5353BF186A5F1AF00101C7FA8D0,SHA256=35965A63048AA2886190E89DFF66F62A2C106E2225057AB80524E4EC66525BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:36.256{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89056F8FB0A16D0661D03D5FD87C7B63,SHA256=02369C56D13E5628696CA76B59B3868CEE6BDDC010DEC13E5790176AF08B3A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:33.988{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50861-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:36.191{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAFFE8E39946017EEABBCA6FAC1DF158,SHA256=96CAEF76B7B107DF386CEDF6B3217C94DA06717542510E7D61D8255194CD6DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:36.191{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E972E2BB475A1D842961AE152E7E59A,SHA256=B4C6AF864B8AA467BEB563F5F0CC6C4D8038860F514870A6BD2F539E488092DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:37.912{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057D9F905E91DEA271B171FE987846F6,SHA256=6110E9F1BE75BB26370274DCA8A2A73902E624051F3704731F23C7E1673DED90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:37.707{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC9AC15EBE62B3E8B50334C4D24D81E,SHA256=61CC1249868D0080910FF07C106A52286A11290A51650DCE607F9199D6834C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:37.412{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFC52B31D0F180D12A92A1D59120B053,SHA256=A7DBFA35E175783158FAF26BB7FEEF590BD924D8C55AA159785FEBD6CBE01A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:38.927{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24C179A47B5E34BE038AAA16B65EB2,SHA256=E3F01228007FFF6BB6B62BF1D4858A5F7F62906D9F7775E6CC655D599F1F7E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:38.722{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769BC40BD8FEB30D6834B2C18FC8A6D8,SHA256=809416A2FA223DD04EF43743EAE80AD8B74A98027ED38F4489E220C97AF2CBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:38.802{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE66C3FB7C9D1156004E4ACEEBCDB9D0,SHA256=5582A28C2669B89FCE8AEF4B2215BB1A60DC447B171A96DA0F4FEB6FDA2DCDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:39.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A347E6A9FB02FCBB1D5959D2357758B6,SHA256=1812E12BE63F09AB30C19BE03D92525F8344EE1A604274A539B0F6F6C590BF5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:39.495{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:40.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A5F0385A6ECE5309424F4F6D3D75D3,SHA256=422F75D7CF32000F4A4A79066862365AF50C28C252B049ADA2210DB43D07AB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:40.292{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6DF2138B9DB1C1CC0B03892736A5E5,SHA256=B4CB66A266E59374CBC9B5EB437198D382BE700EEA0231AFC64D75B9A40899BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:40.261{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24E39D03B317500976D127352C77ABB,SHA256=5E0B0FD9F1581B8D06B45C5F49496DBDF27E61C115D5B60E41ED94EB7AD3605B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:41.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2077856A54407B4553976410A5D5F24,SHA256=9733747FED2D12FDAAF51824055D06D5C260024A571BE5B5D5263DCC8BA1185E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:41.370{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4D31B6AAF3BC12820408A0C55917539,SHA256=6070F749B7F394110B43E8892A36061F0C2699F2A6491E2D4CE8FF4B861C6D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:41.276{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81AF144399F20A47BE784F1CD9BD0B9,SHA256=E1014259EE81FF4EBE34AD85EF2D389EDB8F8167E1B2522A8446E7024F453F93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:39.040{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50862-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:41.196{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CF624F79E7DF828D5B3E9E0914A8749,SHA256=F5D326DD184AB588B6F519E71C95357F767584C9AB1074CFF6E0416189FDD316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:41.196{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAFFE8E39946017EEABBCA6FAC1DF158,SHA256=96CAEF76B7B107DF386CEDF6B3217C94DA06717542510E7D61D8255194CD6DCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:36.510{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58230-false10.0.1.12-8000- 23542300x8000000000000000612337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:42.743{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D2D79DFA301FDF2BB1F2784054FE16,SHA256=7A6EF142D3CC359B5B2072357EFAF8736A3123C49DA608A5E4EBA2C18B4CBE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:42.479{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F56AEB8E112237C611BC178507C751DF,SHA256=FDB176D25020E2E5713277A9876733F23368270A3D7738CB2AB410B2B8793E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:42.292{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC152A152A9AB3A38A45A85F0D449074,SHA256=C6F371F7348B9FC44D4B73FCB3ADB60C57AFD31BD0B0F3A42B927933E1D004A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:43.743{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43044E4B0E5CBE1AABCD9ABEE2EE648,SHA256=9DC4C9B2CC9C65CC3B20F15E95EDBD5924EC373A4F3E9B3629AD35882177263E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:43.620{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B654D58DAEA3941660689D7E80459EBD,SHA256=0665B431F6C1FE8E031A6BF31A47370825FCAED3A0CA460BD177FC450E4102D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:43.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF80FC442456642BFD9C77184B9D3F05,SHA256=C83634D5D55EFCAE84A1CC5A3865272666E3BD97CA14B86AC0D5C63AA3541D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:44.743{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606459FDEB09369E4410104792FF1643,SHA256=12088D2D9865B5C2D34B3337C26275AE585E2B93E2B051ED53429FEF4714FFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:44.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D653467D87DF59C6BD69DE4E97DEB8C6,SHA256=9EEF8B6FC859D1FEB96EE6552EB47FCD3B77EB60A1723278250E07C97417202C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:44.323{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5081333DC44E0636605A11D2F1366428,SHA256=21E344041A7FBA82FDB9AE4CA801FCDAF553E4675BF418E9D30AC928544CB3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:45.759{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20569791BD1104237F17596F9B5E4453,SHA256=4C15F235C98125E42CCB7D8400F830005E7C39D7628D7FA7DD48CB015C83EE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:45.323{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814FFFBD25A481140BDDE41D15049CB6,SHA256=8196619D50872BC83006E9A9912EA9CBD808F8CE0E1F5C161719F5227A8046D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:46.759{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C1A7786CA4AEC32B7B63BD8AE0103C,SHA256=CEF43242DC7A75B72189C0F029C6B7B353E90D34B9947CB7DE593F6410C77FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:46.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF0970BF02607A91706A20450D3950A,SHA256=B6661781F50CFA0DE91EFBAE818F7773C000C680C9FBD346EA3419E75978EED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:41.547{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58231-false10.0.1.12-8000- 23542300x8000000000000000668532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:46.026{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B55532E6ABB90DA8A592142697B9B0E,SHA256=F6F812F7132EED3997B013666B12A7CD26FBFBC84F2BAC69D4B9FFF82265560D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:47.774{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29E4C0A78254D36DD0548B938547556,SHA256=00AF779479A1C7CA9AEA0C4C94D5AB3F60C06AD8AD52D3F357A155D11CC58CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:47.495{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D058974769235C1BA9C0E5D4436E55B,SHA256=DBBE52AE1FC1C1117AC474A9C5C613DC06E1040BBAF1E671CAC36BF93E069649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:47.354{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428BF1BC44375E5F25DD471719FC92A0,SHA256=8828684FDD6F35DA2CE54E3086F228DD1D65849F1848B9EC409DFD857E2E9BD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:44.962{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50863-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:47.243{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=825029E7BC75A582C4720C1CDC040678,SHA256=8B8C73DB8FD32EFBF40465E9D5D1E51E183798B090E627599C8DFAA939FB1184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:47.243{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CF624F79E7DF828D5B3E9E0914A8749,SHA256=F5D326DD184AB588B6F519E71C95357F767584C9AB1074CFF6E0416189FDD316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:48.667{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71EE666742F934727E0B92D53CED949,SHA256=13121751E5DB2B19E42F814B45BD902A784DCFC66EA85B2D24739F21D8C6E8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:48.464{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE39912C2BC53D44996B9E9D627FC3F7,SHA256=69EFB5B5D41ECC32FE1FCFDBA4F167F19E4FB72547CEC08F33C1DCD0EFE6BAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.774{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1FF57BD05E8BFA393F57A9111B0E0C,SHA256=22A2E058E208C27F93F94C4FD643E76EB2F3B7DE8791846F9B6DEF0E70291892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.680{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F350-60B8-245B-00000000C501}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.680{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.680{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.680{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.680{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.680{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F350-60B8-245B-00000000C501}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.680{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F350-60B8-245B-00000000C501}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:48.681{97C2ED32-F350-60B8-245B-00000000C501}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.774{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5225566E38A95AFC57C39D79CD6DA9F3,SHA256=C7C623B26E889B63BC650C1E2E34E342A7A9F3193E86FC1259311083B90F7E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:49.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30DE9A034E700996D1CCE54DD636D2D5,SHA256=756D414E7E0254F9E26ADF4F162DBD02219C3831F286B244D805377F9A892B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:49.479{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A7FEA263BFC5687CCDD0AD43640A39,SHA256=A69FA8F967FB88A0E750AB92421A4C883C69FCEB537B4CD612A2079C84A5B73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.680{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=825029E7BC75A582C4720C1CDC040678,SHA256=8B8C73DB8FD32EFBF40465E9D5D1E51E183798B090E627599C8DFAA939FB1184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.477{97C2ED32-F351-60B8-255B-00000000C501}28604764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.352{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F351-60B8-255B-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.352{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.352{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.352{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.352{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.352{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F351-60B8-255B-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.352{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F351-60B8-255B-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:49.353{97C2ED32-F351-60B8-255B-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.821{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02D4715EE610F6C5AB3178B5E0DAB2B,SHA256=4C588D3E07F2F109B96B8C795F561C64FAB4009AFAE8B9837A236D47C62D8CAC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000668545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:20:50.995{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000668544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:20:50.979{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Config SourceDWORD (0x00000001) 13241300x8000000000000000668543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:20:50.979{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_368F3813-04AC-4615-AECE-5D3085605520.XML 23542300x8000000000000000668542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:50.948{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FA5BF952E0C040CEE4E07509E6A70CC,SHA256=EE72763A067EEC818485AD950320B98EEEBD26870C8C31269DAFF48E2576FA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:50.511{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E15DB79C9AD6D06803CF32038AADDC,SHA256=6520C3AE8E1AD59702E685F781F596714002D2C881EA8232B99DED07EB43E8E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.696{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F352-60B8-275B-00000000C501}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.696{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.696{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.696{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.696{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.696{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F352-60B8-275B-00000000C501}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.696{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F352-60B8-275B-00000000C501}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.697{97C2ED32-F352-60B8-275B-00000000C501}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000612374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.149{97C2ED32-F352-60B8-265B-00000000C501}50164740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.024{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F352-60B8-265B-00000000C501}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.024{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.024{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.024{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.024{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.024{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F352-60B8-265B-00000000C501}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.024{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F352-60B8-265B-00000000C501}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.025{97C2ED32-F352-60B8-265B-00000000C501}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.821{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDD768DCFD509162F56F32F6DC02EFC,SHA256=21B1014AC0B8CB14AD01DDD81E2D4B1DC478E3F86E55358C61135D645E8DA868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:51.526{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865868F99EDCE707A1437A0E0A58D96B,SHA256=891CB21FA85A8559030DBE42C2DBE40BFC025BE520AE26CE276B53EC4C3B88B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.368{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F353-60B8-285B-00000000C501}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.368{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.368{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.368{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.368{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.368{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F353-60B8-285B-00000000C501}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.368{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F353-60B8-285B-00000000C501}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.369{97C2ED32-F353-60B8-285B-00000000C501}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:51.056{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C5EE7C00F7236BD42F8F4DD2CD87E07,SHA256=B6E658496C201430409C24C83D91D4EDF240D1C96397C67171AEAAF462AC35BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:46.563{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58232-false10.0.1.12-8000- 23542300x8000000000000000612413Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.852{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255FB2AFC1FC882432081BF7E3021704,SHA256=5FFB713EE5874B5CB6663B38CE7AA699C6C9D4E0F80F32D97B607E321D0CF3CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612412Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.852{97C2ED32-F354-60B8-2A5B-00000000C501}16764236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:52.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA32C5B4715CF62CF68C7607A7B0FA5A,SHA256=23083992B5D1B3DF861E5891451EFC0896F856B3DD0B96E33A6A15B07A674AE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612411Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.712{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F354-60B8-2A5B-00000000C501}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612410Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.712{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612409Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.712{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612408Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.712{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612407Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.712{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.712{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F354-60B8-2A5B-00000000C501}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.712{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F354-60B8-2A5B-00000000C501}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.712{97C2ED32-F354-60B8-2A5B-00000000C501}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.306{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AE1C0BA203E8E64C992C743DF66DCD1,SHA256=4403BA8A3C19AB1CFF4C525B5C9CFFD1BDB4A88B2F70B63E3EB23CF4987B97D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.165{97C2ED32-F354-60B8-295B-00000000C501}3816356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.040{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F354-60B8-295B-00000000C501}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.040{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.040{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.040{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.040{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.040{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F354-60B8-295B-00000000C501}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.040{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F354-60B8-295B-00000000C501}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:52.041{97C2ED32-F354-60B8-295B-00000000C501}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000668554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:48.465{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58235-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000668553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:48.465{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58235-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000668552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:48.455{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58234-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000668551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:48.455{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58234-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000668550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:48.439{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58233-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000668549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:48.439{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58233-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000668548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:52.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D644EB1F410D6DE29B406DE157A533,SHA256=8C76CA5C52F7F1AC99B21C97E2302F712607E80266E9B55F66ACC5E33FEFAD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612416Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:53.993{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A182EF426913EB497EC4BB00497F12,SHA256=551D80B135E3689778857D14B7F3AAE4C956707B73F6A501710705750F438740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:53.823{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302B1A6228514DF9D88DBCEB47C876F0,SHA256=8AA68154C8D8E3BF5432C843A93B50A822648035EBC78C841A623E80B689B7F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612415Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:50.056{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50864-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612414Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:53.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8DEF1357B0FE0D76352F706CBBC664E,SHA256=C835013A8791F3B9B581100C21620A1096B48E20DC4BA4E5E6BFF65B4C57BAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:53.386{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E303397B19C2D6754A4B1D07E3799A5,SHA256=2709A2FBD9116A0D3AFBBF4F8E6F86FD09440BD7BA19750C219BE36F8872517F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:54.854{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E2249B1C92113A7F3E22493892D27A,SHA256=7D9F4BF6DD0C8635B8BF44D7B0DE4B8334BA9E430C51AACF8B6E8DD6CAB71215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:54.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=537C76213CCE7A385B8AE6FAE8380446,SHA256=F11DFE399427EC5B055A5A8F2F76CE1E8FB891FD68B74DE1044493305803ECAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612417Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:55.009{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531DA029BD3C5A6DFDB98A56B8152049,SHA256=D184A0210974A343DDA1EE8EE898987A49646C2DFD8AAFC92020EC46954B6D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612418Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:56.009{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6005286E163191C42BDF7CC435693D46,SHA256=80A8670881B0479FBE7D7E8E7FDBB8FEE4A5F4FD7342B42AE264D9A74FBD67DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:56.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21518697C1D18A4C3F41C48C2EE569DC,SHA256=0D6FA1A8BEF8D6A35DC4B46171606F6D17CDA16CF87E03A8CAE1398D8CC99B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:56.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1810230E206DD7EB668EDAF086597CA1,SHA256=DA0F2F33D2F02FB7E7F09D8B5D132B44E470CB9F2338E01326212E5F6E4CB122,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:52.578{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58236-false10.0.1.12-8000- 23542300x8000000000000000668563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:57.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75C4E5E891B412E074D2E96A73FE41DF,SHA256=5C0AE291812BC8F9CDF75E5B4BB2AF0C569BDD92528741DD25F8FBD92BD7FE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:57.151{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BC779EC6B1CB503BED453616BCAEDA,SHA256=2C076C97324DEDCBBC7039F3BA824B12195369B74BB07AF411B002E9B2C61DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612419Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:57.071{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E021CD618AD2D1651B157CABDF4DB0,SHA256=1C43D6B318723F621A957EEFB37C31F4568F3DB39287A917256E7692E463DB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:58.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1D77A8F232B51D6E4D199F5C9846133,SHA256=AD3D0E43740CCD57A8918F2B4508BBF8074538CE8899EAA483452FFD57EB54B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:58.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D7EBD14FAE017AAA44FFD231307B9C,SHA256=F5F20B3DC0EA538CE312B262AE82B5818A212B8CD782DB33B2ADBD30222237F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612422Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:55.868{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50865-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612421Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:58.095{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590A47AD39B09C4734BAF9092408D0A6,SHA256=14F5A77B8E596FCDFEA9C09A6355E2FE88C684805201E6B854F53A41F20F61C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612420Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:58.040{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910346CD9316966FF9099F83AA1FC9AD,SHA256=204CFACA8E444FA11691E6EF2BF6FD77030F9DA4A0C4385B1B1FBF16E3521AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:59.617{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBFFF65C970B27DD67B23F17AF490E71,SHA256=AF555C48D980B0F85683CE1E64D798168714A05ADE229A2DE9B61E46B9D834BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:59.417{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8527455EC59ABCE86E66F7278BC0A9,SHA256=319860862F00DABC2BAEC21BD7FB8DBA87AC8EA0E20A1CA4F3F06DC723C35652,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612451Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612450Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612449Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612448Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612447Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612446Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612445Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612444Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612443Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612442Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612441Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612440Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612439Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612438Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612437Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612436Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612435Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612434Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612433Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612432Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612431Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612430Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612429Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612428Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612427Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612426Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612425Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.630{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612424Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.244{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612423Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:59.102{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF3C1306E4C4542040B241E296BC5B5,SHA256=3F65EF926F5C613A2245BB53D562A989B908271E276FEAA14A62C6401D745D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:00.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85B2BE880D8F65C2FD713F1ECA196C29,SHA256=E88BB95C9714ECDC2131CD34DCE70F9C1BF71D95BD89DB8DAE64180DBBAC0B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:00.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D4A25EE5CADE29909BA5DF35F7E7AF,SHA256=55E33D9A4DBC2ECA4D2CF3B86697A59A0EA2D889EB9A8EF389C989B370266567,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612454Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:20:58.073{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50866-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000612453Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:00.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B1B4BB7E8EA3CBEC49FCF3EFFAA78C,SHA256=DA788F846819251C5A791733A974D24354C02E955A9A133D59C0E936976670D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612452Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:00.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D98AEB51A18F38543E1718F8818E7CFA,SHA256=9E879C21689D625B6C27FBCF4D76FC1DA52266066DC0550F0BB949BF3AE2CD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:01.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=949BF00FE1D08F970CA27828462212EC,SHA256=C55264B1A441F03279CD09B15225B7900EE5691510E99F0A286F7A48E235BB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:01.569{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BD032C6AA701C759D6F4038C72D4DB,SHA256=A98F8CE7B6AA5E35BE27D11121BEED960A2A2E8576C855BA0176AE3305AF2883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612455Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:01.458{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00953A43E9616DC6CE05500256B1D563,SHA256=D5153315F75C9C017C0EEDAB7FAF9A2C9BD78616094E68EA2E5CD70E0E3DF3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:02.930{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E6B9931D3C478CD65592E5E6A97F0C7,SHA256=5363267B95AE544BD3BBFDB794A70F3FBD3F1AF284EE215017C01709E1305729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:02.586{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F373D0ED720C3AD679DCA324059C9E31,SHA256=B2978C0DE20AE978C8138B6664699ABC1C4607CA7C3988250560FAEB52B677C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612457Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:02.473{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24D584A6192CB488B9245D1D0C45B86,SHA256=79C15736BFF6331F9FAA19503096220729132FF0BD0241E997C16F7013B5A02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:02.210{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612456Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:02.426{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AA8BD488F8DB044375B368C13C900B5E,SHA256=C7BC1FD1B89C0A1286FEC7AA430B1521B180FFC2C6676E23D2B7C743AF4BDEC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:59.668{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58238-false10.0.1.12-8089- 354300x8000000000000000668577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:20:58.558{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58237-false10.0.1.12-8000- 23542300x8000000000000000668576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:03.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689753F94CF136AB8F0D91C3289C9489,SHA256=BC382A919BC626F89C48F8778A08EF6C895147ABA6180A1700BC8CC54BEEE507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612459Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:03.473{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6C8569AC7F3709D156E80661B0D3FF,SHA256=58EA35EA787E4E7C85D3B259CD8D5F37CD773F6C9E802B429F2B7A8DF93B2645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612458Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:03.239{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EFED5FFC671EA3D598259021B651121,SHA256=F411631DB21B7C5BBF536BFDD050E5449F3A5A7092E88C3753E7A892720432FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:04.634{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D63C83C7FEDF09067FE271575347A6A,SHA256=CB14D202D06BC4B84113AACE1F533ED6E22D3E47F5C8C7D3E98A3AF7D2250466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612461Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:04.489{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C4B2A1F58950B0A02B4D5F37D6B628,SHA256=F0D42F4E0192ADD1617DBE2958C3D64AF8E6EE250BC78207A624A828E91E3521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:04.068{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B90C9134F085B354B2B9F90D49305295,SHA256=CF723B8F12CA3D56327CE50C2CFD7B0F8253DEEEA4ECDCD2F88804E9BA6B71F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612460Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:01.083{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50867-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612462Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:05.505{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2022D04239916E6E76CBE2FABB9A23BF,SHA256=91004DA2BEDE227F0B5D014E79F9679A6E632644B945B23F21F27DDEA71D5578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:05.650{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DD784CAE61FBC7C54ECC15682B15D9,SHA256=600CFF7C56660194D60C0287D0C569681695A2C61D8F1C7A53B002CD5034B0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:05.306{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E5FD0C2C97E9FBCB1E8D4E53939EC6,SHA256=2FD0F3BBD6177C9FC1610AC4C1A28FCE54D5E17878C47B4B7AF07AEE493C91B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612463Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:06.520{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26EC335784312168834038D152F63B7,SHA256=98C3281792272A6BB5469A40EBE8DE694D7BF4321E036901CEB96D9311C7AE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:06.665{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE43BF7CDC22DC9BB9918E10AC21661,SHA256=5A42FA835D8FAC372F2F942E49476189AA277E41122BEE6FE842AF4B5D838ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:06.353{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7009AB25F6EDF7C2E65EBEBCE56F029E,SHA256=80FC6B82B68EF0D7E4CC1A8CC5C5385B3C1A638A3CEC804BE0A1828D6EB09AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:07.696{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A1BE1C4193AB5E4EB937ED8E2C18E0,SHA256=96A23B3FE8E62357A89AC08DCA61D4015D232867C826F58F74DDADC1FB7EE811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612464Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:07.536{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D0F77A463EBEE9750BAA05942ECF6,SHA256=CF3DD21E78E3F48F167039DD3D4515FB91CDFACEC48ACA5C2087E9095EB42BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:07.462{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E3FC5C21986C2B7FE62F65028AB8903,SHA256=69C13882652B17A7AF99B0EE6E4B80F97B4703D226A15591F06DA4A0C7DF1E70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:02.467{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58239-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000668585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:02.467{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58239-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000668589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:08.712{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265327A84579DAA60B4BA821E74F98F9,SHA256=7477895934A1A30E5C9D16A32C48DB427715139EDF20FFC175D1E89B4DC4C019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612465Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:08.551{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0932B3F27BFDBE05CB70FC13D3DE48,SHA256=62A1D48133DD823ABC9919D73967BC3AD123E455FC572F953C92F1BDD49942D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:09.946{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CA084A6325C37697D678E1A76F5F19,SHA256=3A82A0FCB13A969A5CC24C04D46ED5AFC92E5CEE7D679A6BA55C56B08DC2E1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612468Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:09.583{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D29C28318C545C77EB5645AA36A39B,SHA256=AD5C196C4D16F5D0CAA1C3922B0A54C568083A2CF4F92C4453D4F5BFE557A68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:04.529{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58240-false10.0.1.12-8000- 23542300x8000000000000000668590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:09.009{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB35DA868F2B121CA30EE29344E626ED,SHA256=F3819A3843DFF785AB2BA3DA10D3FFC954B86F974C364959CFAA4062369CA5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612467Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:09.239{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64EB7BD2E0BB347A89DA4104DD1A571E,SHA256=C1EAE097A22A64B232DFC28ED8A1439127334725770751AB448A2791BB723E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612466Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:09.239{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45050D250E15DDF7E92805BB1EA1B688,SHA256=6D16F7F7AA483F4CD6657243B9B45783DC02D745AD288EA80C73B060CD356779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:10.978{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27514A5865784BEB15CFB1B6BC346C73,SHA256=38DE60ACF4A7786E705AB47D8FD2222D110D8A36983CC487B9C3B32C69F03C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612470Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:10.583{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FC254E9C371BADC52BB4883B8A4865,SHA256=A3084A5F8499349CC7706620F6F17D92870FCB5EC3CE19165545DBCBC45923F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:10.056{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0AD86A5A7742A482B7D38F6CD80C1C0,SHA256=827CB01CD000FF43D20D716FDD263808AA4BD1B5C9A1B3201F6781C9EDE0BFBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612469Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:07.083{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50868-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:11.993{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9761386E385BC3D4CABFE22F992AA397,SHA256=CF4D305EF43DC3C67B7A5F34E8806A276D6AB2BF3C764CFCD4E0E4CD3C038C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612471Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:11.598{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F9C8749A2C537A56D7757D88F0946F,SHA256=79777277594671085A9305FFF8321B585F5103BF6A676048BD2BBEC4C4461BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:11.212{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=169FC3FC28880ECE18A37E9499044FB1,SHA256=F437EB6AFCD3D0AA8A83A1A536590D8B228551EBDE1A2287AF402FCFDC940DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612472Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:12.598{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E92E9FD39CD17C29E2750A1621782D,SHA256=6C112B4DE77A75510A935893C3F49939FDFC76E834A69A9D2E3EB0787125944D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:12.353{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF9D727D031248509C038FDE426A94C9,SHA256=F52D8FA8E52C260CD3C6F1A5AB1DC54E5AD3565670B77E88791AFB8D1CDE6996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612473Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:13.614{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05838B22AE43F55B777FB832A4C0952,SHA256=54C7B0BF6A38B3079875EDB8BA748F38190990E743F1124E9AC3600C76E0F90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:13.493{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C658E3F3D46D5DEB7DFFCF0D98EAEEF,SHA256=0ABE27E9BC0F3A16C1BAACFD3677C75DB6A625839BA62A36E6F388EBCFA0F6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:13.025{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80142063EFC9626D01F9416F94B8C5C4,SHA256=DFD75D7F409CA8E75F498ED13812E67B099C4CB5F4F213BD2D0231ABF56110B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612474Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:14.614{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01B4017D9D15C3713EC231AACCE0EED,SHA256=2EE956F3A16C62BE74AFB6CCE135CF0DD66D6D37AA1CB31EDE70466941B21BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.978{D419E45B-F36A-60B8-F250-00000000C401}70485716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.775{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA9AEF54A6FD0444ADB733DC4EC13ED9,SHA256=9EC57BB0A56B841CE2665A1A768D5B5A3EF09269E4865C63E7CADBC75F30FFEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.728{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F36A-60B8-F250-00000000C401}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.728{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.728{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.728{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.728{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.728{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F36A-60B8-F250-00000000C401}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.728{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F36A-60B8-F250-00000000C401}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.728{D419E45B-F36A-60B8-F250-00000000C401}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000668609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:09.592{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58241-false10.0.1.12-8000- 10341000x8000000000000000668608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.056{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F36A-60B8-F150-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.056{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.056{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.056{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.056{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.056{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F36A-60B8-F150-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.056{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F36A-60B8-F150-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.041{D419E45B-F36A-60B8-F150-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:14.040{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F19FBD0EDB851E75CEB5EA378487EF5,SHA256=490DE81C64AE697DCE4E043913DB5D82828397D99477A1B44FB6789F757A048E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612478Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:15.645{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5282BC04B5A061580839BA4EB0A7401,SHA256=DDDC0F0013720BB2A9694D85AFDDED885FAEAEC1AB43181DBADCB8DBBB3C8273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.915{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F36B-60B8-F450-00000000C401}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.915{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F36B-60B8-F450-00000000C401}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.915{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F36B-60B8-F450-00000000C401}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.900{D419E45B-F36B-60B8-F450-00000000C401}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000668629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.384{D419E45B-F36B-60B8-F350-00000000C401}40246112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.243{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DF172A1EFF8FCDF705415F5B0AF21E,SHA256=D56A3BF52388AD00DE0BCC01FA3F6566020AF941CE2E2A0F8DAB3B1BE48167FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.243{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F36B-60B8-F350-00000000C401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.228{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.228{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.228{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.228{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.228{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F36B-60B8-F350-00000000C401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.228{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F36B-60B8-F350-00000000C401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.229{D419E45B-F36B-60B8-F350-00000000C401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000612477Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:12.864{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50869-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612476Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:15.067{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A5430976DA2ADBE6DCA8AA4610ECEF6,SHA256=5114CFB552476031187D1003B2145A53C06FF6FF58335DC659BA776DB37ECACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612475Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:15.067{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64EB7BD2E0BB347A89DA4104DD1A571E,SHA256=C1EAE097A22A64B232DFC28ED8A1439127334725770751AB448A2791BB723E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612479Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:16.692{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E3EDE56CBF0D631700AF3F567D8789,SHA256=CF78E6CF0A1627215B1962D9A46A948146D3F683CDA42D4AFED506979A2CE8CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.743{D419E45B-F36C-60B8-F550-00000000C401}51125276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.587{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F36C-60B8-F550-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.587{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.587{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.587{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.587{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.587{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F36C-60B8-F550-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.587{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F36C-60B8-F550-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.588{D419E45B-F36C-60B8-F550-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.384{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD3D2D6C0A36D968E2E2959DB88286B,SHA256=EA5D130BF3D3320353D60ED820458B236A7B300F0384EA6BC6BE7BB6DD506DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.181{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B121ABBA67B5D81E54E8CE4B30CA28B5,SHA256=1C4E28157A68C2FBBAB8428D2B9AD534FF71EA991604745090802DA766D7A82E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:16.103{D419E45B-F36B-60B8-F450-00000000C401}44563676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612480Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:17.739{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECD8B14CBCFABA93844B296D0E34D86,SHA256=8FD9C34E59A1B7200CA8A26872754596EE12782EBBFB5449FC342136F9015266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.775{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F36D-60B8-F750-00000000C401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.759{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.759{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.759{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.759{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.759{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F36D-60B8-F750-00000000C401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.759{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F36D-60B8-F750-00000000C401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.760{D419E45B-F36D-60B8-F750-00000000C401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.525{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EBFCF77DD855DE39D2C8FE315E84FC8,SHA256=7F124DF2506CA9ABACFD342BE7FD7F6351B9F91EC30D8733638CFB5F7EF88B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.525{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD49D9E3A01BF7FA4E56CF6732B3A3C5,SHA256=197ED4D83515DA21D7E8CB5D333BE1743BC5CDA867DD984ED1D56EB55964DED2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.259{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F36D-60B8-F650-00000000C401}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.259{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.259{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.259{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.259{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.259{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F36D-60B8-F650-00000000C401}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.259{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F36D-60B8-F650-00000000C401}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:17.260{D419E45B-F36D-60B8-F650-00000000C401}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612481Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:18.739{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82B3DF10A84299F639B5C909D3C6180,SHA256=061F4BA70070FA805C97A73AFF707D24F405C160F25F44E408F8DD6FA380E31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:18.712{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFA21EBE9828098B41E0865EC8767A85,SHA256=75138A8F1CD2F2C4314BF01EB963445EA12712FF35F5AD551F5D7E8C9E9864A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:18.556{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C7E95B46A44FA84976B3325B94F166,SHA256=0421AA25018D3C2BCBB83E182E879E8A1BFDF67B9456704F8D48B233DC21AC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:19.848{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46604E0AA8ADA00E02D4DACBCB554261,SHA256=C7BB8DC562AF7FE02A960E84D280987AE3D354E56D8283FE26EBC0E1EFC6D692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:19.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61935728F33BD52DE27B3EFA28E49F24,SHA256=C366AFB07071DB46BE55BB93892BD037356A64EB5E50C3F190B5C43956693A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612482Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:19.752{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23CF1133F92F40B38C8FA179697F114,SHA256=C614BFE71987631ACD2194C167F275B14D90B38970E42E451C6F18EB2F516B37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:15.623{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58242-false10.0.1.12-8000- 23542300x8000000000000000668674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:20.988{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE8D6DC9DA28807EF59AB074FEC91B9D,SHA256=9ADF3C8EDBD4AC4EDC556826DE63EEB66BCDF268D6289B622A5481CEB4C0A783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:20.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE6D1679EEF0B8470531AECA2E0EE96,SHA256=AF148F63160E09859D618E617B21B92E6AAF07102AF3BD525E73E7189955607A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612485Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:20.752{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4884854E185B4A0DFCCA760EA446AFC,SHA256=990DCF387C7109538864AB2D245E7F7515DD2AB3B398C6546BCBE174FA8996A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612484Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:20.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C42FA52BA59371F4555D56078274D266,SHA256=476819877E6DCA6006E8487DC30AAC8D3DF66503EB01CA0792DB59B8104BE91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612483Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:20.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A5430976DA2ADBE6DCA8AA4610ECEF6,SHA256=5114CFB552476031187D1003B2145A53C06FF6FF58335DC659BA776DB37ECACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612487Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:21.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA6AD9F49BEB1AE2A25BDE20D87BA68,SHA256=7127B7B7FE2C9E79E741DAAB5D5EDACB256CCBF34A1064A85687CC48802E110F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:21.645{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E664DE715DF48A81C8E1123F9F10EE,SHA256=876C3B8D96700A703055BC84C3A91E77D7D7616C58981B89E408EDC2306609D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612486Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:18.052{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50870-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612488Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:22.877{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676E0CC77871DE3D82AC43F04FA8E412,SHA256=A94D87454E94D0073D327F65F4E35439EAB49B83C3CAB38C869D4EA43BDD5219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:22.676{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48C4B6C31321E083C105B9B9FDC8BA5,SHA256=5FCF6AE4D4E543AF5425292893EBD331182D0F2FA448231A6268A6EDFD19F4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:22.129{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C018D011DBF9FD290EBAA0926B65D9,SHA256=25B03E1D7D3209FBAAFEB1CC46012B3E9D1A6C1CE04EDCB3C636F2F4CACE4878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612489Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:23.893{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E86ED2277F8E46E397036790A69848,SHA256=19B0BDC425BC3165CBAE6DF51086D3D68D128EE02D82A9F91466B0D1171487A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:23.707{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CA5E60EF2F7075E1E5563AB474E531,SHA256=F43CCCDBCE2694E0C386560E5874DBF59DBAC9BC715DC6EF83776E07B9DB9DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:23.379{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5248397A67149BF12A89B59B0CC3E5D,SHA256=77BE4743A454880C296A453E4687DE8A2391944DBB9072B78892B21A42C49F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:24.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD1FC93A7F26B8A09A0C80A466D6B116,SHA256=22F90A70A6FE2F4AAFB2A3A79E64302550191421855DAAE46BC2F90C71682A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:24.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A210DC4F0D40A2AA8CA415F102F50737,SHA256=BFA5C69A2E0543C43DF45C3A690C906EFE6DAB8C7CE5C2A907903AA23B399540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612490Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:24.908{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE8F1A99BD6A8BB964112FC467B7085,SHA256=4C828597A1D928770BE3F285AA5E8505BCF2A95A3F502850609E5E03986EA1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:25.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F39021810FE298481EED9A3ECE16AE,SHA256=D491383E4109D0146370192102F490D0425C7494C2D675A14D9CB4427C2E78EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:25.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1504965FBD7823281DC9D6483DB1F4C5,SHA256=844A6EF54471E2B87432EFB565300B69F3383575A01E2C01896BC00271154ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612492Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:25.908{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACFFA6C23D72C1B4A857F816FA8271D,SHA256=93084EFD69CFCFE38EA55F428A182F469C086721D58BE0CAAD34D7956FE0233A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:21.540{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58243-false10.0.1.12-8000- 23542300x8000000000000000612491Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:25.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C42FA52BA59371F4555D56078274D266,SHA256=476819877E6DCA6006E8487DC30AAC8D3DF66503EB01CA0792DB59B8104BE91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:26.926{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895B319630C1F279F5112767DE8BC68E,SHA256=30557D19A29B4C1D9D22B8DD4504319DB68940C125CB7C9345B1919F7EBB0A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612494Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:26.908{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42E1CF709A26BE63B79463110D9CB4F,SHA256=001B2739310B599A8F2B162B93E75F1670519A33A0693253554004E0430F2AB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612493Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:23.065{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50871-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:27.941{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D25EEB253C119F38CCF32B8C04049BE,SHA256=9DBDE8D1111391B158BCF4AADDDD4CE1509145BCDF704116C41E25722017D502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612495Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:27.924{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D7B278D4A242262DE978526D997650,SHA256=0AE3CF3FF461D79873C4F80D3B3E9C546E8A6A061F62CF655B5DE5CA5DFA9239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:27.082{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30512D0BDE26921F252CED07BE432056,SHA256=8C584E8AB17EDA5421B2C537169242D19E73A7604EAD0F6C9324A53C74BCFA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:28.942{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0635C1BCDE323BB10EE07BFA8432F64D,SHA256=21A81CD464C0997FA32E956CEA536F30A59E3A687BBE329BFBFF04CBEFD032CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612496Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:28.924{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E15C1BE3E9DFC89F98F2548C2A12617,SHA256=22C25124245F23921F3443FB61DC68FA402BB00CAFF729DE47D02ED49860148A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:28.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AB0933EC4670091B154943DEA95D39A,SHA256=B132A463044246449E19603B3348F7AE5E7ABC8A5A61BA0320AE55AC82982765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612517Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.939{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EF4E66DB7B53F026A68A7ABA5950D3,SHA256=897730CBDC70D8C49ED5C20CEB94B5EEE120F444BDF23B7B1B6980749659E20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:29.957{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D4D8B8B3404A88B8A919C01AC58667,SHA256=B7BC634CC1910954682CE2D49C7587A5927E2C338E2D77BC59D934A8EEAFBE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:29.332{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AE10F0A6A71026CB4F07ACCCDD6AD16,SHA256=10F5DA80E38F62CC81EEFB037F989A02BD5A50FBCC8AF37B965167454DE8255D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000612516Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.158{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000612515Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.142{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612514Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.142{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612513Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.142{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612512Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.142{97C2ED32-7730-60B6-1600-00000000C501}12041340C:\Windows\system32\svchost.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612511Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.127{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-F379-60B8-2C5B-00000000C501}1708C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612510Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.127{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F379-60B8-2C5B-00000000C501}1708C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612509Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.127{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612508Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.127{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612507Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.127{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612506Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.127{97C2ED32-F379-60B8-2C5B-00000000C501}17083328C:\Windows\system32\conhost.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612505Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.111{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-F379-60B8-2C5B-00000000C501}1708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612504Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.111{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612503Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.111{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612502Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.111{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612501Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.111{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612500Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.111{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612499Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.111{97C2ED32-9D3E-60B6-7A08-00000000C501}33646092C:\Windows\system32\ServerManager.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000612498Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.111{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000612497Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:29.064{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=083B6EF16297CA6EA41F69E9E901AF88,SHA256=1103BE4B996A3360D7A3924A4913FC04F8F0DDBB71AF9B4A5FA0FABD6943E961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612532Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.971{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AE1939C5459F81EF00481F6108DD3F,SHA256=2CCAA15ABE8D6CD56CC9BA0EEFD084C064E11761EFCBAF64B3DE9D475BC33A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:30.957{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D39DF3A25EB0465B6994ADB4D73A32E,SHA256=5B274124937DFF465E0C44FDAC5E83E625C5151E1BA4480B37E2313EA88A0D85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612531Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:28.008{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50872-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000612530Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:28.008{97C2ED32-F379-60B8-2B5B-00000000C501}996<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50872-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 10341000x8000000000000000612529Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612528Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612527Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612526Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612525Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612524Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612523Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612522Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612521Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612520Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.096{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A45F691F8234E3D31E151B9FA12D28A7,SHA256=93F1B4F71E8B861B1F2947C82ABB2A99B5D1B743982CCAF64A56AC4D17FCE3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612519Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.096{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0EA3892C3BB19037965FEC45A0B1369,SHA256=1EDF5D98B604E4CEB37EE7573D0BFBDDEF07291775747CB8A823A08F2C4E96FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612518Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:30.096{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DFDCC561C63A45E2E75DC7A34173BA8F,SHA256=803B4F18EE5404A7A478BFF53A72F8A8BFDF64A1013DC29A643C7B7384794C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:30.488{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49C26B0F78B2D19445114FBB00BAE1FB,SHA256=BEE6773BE498B91789FD39E060C17D76A9155EB2BFE3F44EE273ECE409A70E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612534Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:31.971{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97C756C44F1A13D22448C301F672B60,SHA256=B77540A7B7B8FBAA53AD8365CDA4D4DEB9F55B7710571226CF8E1648D39B4730,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612533Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:28.908{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50873-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:31.723{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=238C14AA00AE3E0719CA07E2DEDCA73F,SHA256=0B25D45718A7BE0869580BCB4650F90E65EAD559521441FC30AFB97BD1E28FFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:27.555{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58244-false10.0.1.12-8000- 23542300x8000000000000000612535Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:32.986{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F70F6D7FEF138C6A660C2C241ED876,SHA256=4663F37305ED4F92FB5AFE0BAB7A7C289F42AC662C369BA76D644128EE02553E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:32.801{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A0436BB3452E3A045480889C1957FE9,SHA256=E7777F8AC7A9B055C49A91690171FED27C040FE6EC0185F6B41986861EB96270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:32.242{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5406B58B99E7216E974B3EB98A525C02,SHA256=042623DA6745994C267C158CCACEFF334B52E2053CAF4541BD917A2C1C8982C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:32.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30512354AF5016D590994DCE8636CD2,SHA256=285A9869A20F36C7953C0ED3E5E27947551717F20CCF3DE63AD93F7F43A61F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612536Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:33.986{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A015A1490CE156EFD7EF46752C5A0A04,SHA256=AF34EAFC3B5865567BDB06EBA8F3B18124D3E3C71D0B2EA6E7F39CDA33F6803C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:33.848{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=146216AEDA76298C35074829C0D0F6D8,SHA256=0EF741B6CD53F322FB07B56B5F1414D1FDB46E4145F4037D248420B17205D46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:33.051{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E918E7091F8096E2509240753530F5D4,SHA256=8B1E7AC8E00AD8E3B6F6F11B424107D9539F7A5F7D7A2176C38CB61CC3842676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:34.082{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5BBA43CFF7123CFD03D3997D3F1A0F,SHA256=343C8F2A1EC1A275E89ADA8903C7CDDA616D8C047BFF163F174ED6B9CE8E7A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:35.442{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81F76841F4CC31DBD3E49B9610CF061E,SHA256=1C5393D267FA425B936C4AAF638163053BF69B79807F6C6D3202D114A371115F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:35.113{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D50BAE94C095169459C33E37416229,SHA256=C68B2700B78C7526F61245E2A1A7135B3A3E0A0545EEE466902FB8A6BCD40713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612537Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:35.002{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FC3F2C98AFD3264F1BA8AFC13CE639,SHA256=ADC48EE46DE06B6CB28E68C82ABDD9B855FD87B4FD1BB87BA6833F2D10A64A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:36.551{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B89DF715EE5BF67D0D39DB0FE492C50,SHA256=3A2DB205657621B85A8BE9C0E711CBC415D11DA268A542714D23029A2696B4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:36.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148F14EB19EC7E10AA03233A0B7553E7,SHA256=0A4C00703D08F215D77F1CB69139744C4C362CB6771349F3616D86DCEA051CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612541Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:34.034{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50874-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612540Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:36.205{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A423B3AE1D74F6C4DC6CEC409EB8CB39,SHA256=3166B40FFEE88D7BC11DABA1C1FBF688B0D5C3EAEBE22297914454BEC202D1AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612539Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:36.205{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=469536FD5BFADE9EBB004C7E46D1304B,SHA256=7E6769DF8099D999D15051532D55A21F04EA2A18BB77FB345391F97A3DFB77F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612538Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:36.033{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843562F46EF469959FF04BF342CF517F,SHA256=AAB59C76DF75C1E9D2D135AEE60B483BA3D2E9E1E368CA6095700F1EF81A8A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:37.645{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41DA772A8F715E19C8AEB6B2085C0A1F,SHA256=71B055DAE227D547576F413FD4DE50CC33B9709B1389D8AB4D5C3A95CD9F6B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:37.192{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF41F799996CE4DBDCB3209DA5BDE4FF,SHA256=05B9CD5EE158027270E8B5600D5693BC589C3BC942449B41B10F540BA02C289C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612542Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:37.033{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDF5C18721D91CF081023E8B181F018,SHA256=EC30C0ACE7D31017D748892503D7619DF8967D4CD9815FCD5C662A2A4996696C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:38.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=389135D70FE01DD430363C79FD63D588,SHA256=44738601192E4F6E234669621167FB84C36AD394734556A258468072D92AB379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:38.207{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5603D960B5EA209A5AC209C3ECF4D93A,SHA256=42A432BEE36D90196E3D0E481A8E1BB28F51EF03AAC91F1AAB116C2FEBDCCD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612543Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:38.049{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78AFC4831E10DC6D41E051D74883D3D,SHA256=8E63F167FB87724706FC9F10E17326427F911F3B9F1BBFDE4DB7BA15605C2D34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:33.524{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58245-false10.0.1.12-8000- 23542300x8000000000000000668711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:39.223{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B13EEA42BB4C895DC572BF23836058,SHA256=E4F1427E9767FFCC34DF10DCF80C25D84EBB1930274FAC980520FD48A48EE084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612544Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:39.064{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF22BB341EBBEFFC7E305960B400BF9,SHA256=4634A47A20A0A828D5237E8BDB7099867C88FA542E8DDFA21F7FF9580EFBEE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:40.493{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72421493EB7F18A91F5204A36A6AD333,SHA256=A27E5FF9E5E94F1F308FA9C062DB92E0FCD4E19B3D18D17BD70A82D4AE3A88C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:40.228{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F384D7353906C5F4392AAD8AE7243D,SHA256=23B53AECBB3B9176D1DB7CA2689F44B2FD2D741EA48512E11AE528018A2D7F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612545Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:40.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E889AB19A93CCF8BE5ADADF1911537BD,SHA256=DF9122CE322563B14A1153D055E1F93AA14878C7C733D9A51A4BBACCABDA2339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:41.509{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F107143B8BE7B7341701B6CD4FE1DE1,SHA256=1E2AE32346387481D27344FB762D17E378DC23FBD61235A3BD0FD57E4EFA68C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:41.259{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE6B3B0CBF09A94328F32C4488112BB,SHA256=166EBF04BB7E4106ADF30B495869933AB0865C19BDE9547F0C730AB29B4FC254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612546Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:41.100{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FA02A47EB59E84B10018C1F9370A79,SHA256=66D79618BA96CEC747777801DB9A68B0D65B69E06C1C4BD5E56BB00AC46AA7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:42.665{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBB931B42AD38B345E0AB037F6E6AE55,SHA256=5E443973AEC7D2DECBA075C64D527B9D63D051ABDAABA1A0546F959243912386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:42.290{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D015CE4F5733C34623E8921674C48C73,SHA256=460F4EF30893DD8E61FCB4E86164FF88CEEB73A107F43F362044F9493880282A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612550Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:39.991{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50875-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612549Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:42.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD65B6104BD048D9288752C754D94757,SHA256=3C4CBD721436B0EDB47AE5BD1961219960E518E6097AA6222C08837F7EAF4C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612548Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:42.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A423B3AE1D74F6C4DC6CEC409EB8CB39,SHA256=3166B40FFEE88D7BC11DABA1C1FBF688B0D5C3EAEBE22297914454BEC202D1AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612547Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:42.100{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233DE8B6B7F0448350F940D44FBAD468,SHA256=E69BE22849039D81856634230EAE203B300F93CBE56FDFD73880F23B623DCA1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612552Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:43.382{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-772D-60B6-0100-00000000C501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000612551Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:43.132{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AC591A92C6FEAE0AF334650EE1DC09,SHA256=A00047C4143E2F8C2A9C38E3B13DA130CF8B5727B0FE26A83547836580FD943E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:43.853{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A72C3C46297C3076954EB806564EFC89,SHA256=49D37F799A3182EBCE0B93378A986F7C6886F7DA7ADEC44D35606AFC10E8C7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:43.306{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE896A7A24346CCA2461F7EE73040A1C,SHA256=0207F4074A04A8CCA42BFFBE2BB261D0565C3E611C75765E66E61B514F7FF49F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:38.638{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58246-false10.0.1.12-8000- 23542300x8000000000000000668721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:44.337{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0791A444267E35769032E9446BFE0503,SHA256=A0413B7961994D5A012AE898719E948D153DFB62B8EF3080CD5E2C682968A8AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612555Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:42.229{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50876-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x8000000000000000612554Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:44.617{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD65B6104BD048D9288752C754D94757,SHA256=3C4CBD721436B0EDB47AE5BD1961219960E518E6097AA6222C08837F7EAF4C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612553Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:44.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679D74991DB79077DCF807E61D1907F1,SHA256=15F9FC941B4CDCC1E2D8C49A7F27501BAB106707F6BE64D97AF348494A048C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:45.368{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42B4C5F05D6BFB6D7D55421A9A02CDE,SHA256=D3821AAE3BDACB713160798E4D89F2C2FADC95AE026E9E22C71B96EA88FEFFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612556Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:45.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244CD2ECBD91A3B423B24127425DAB1E,SHA256=F67B10B1F329D9EDABEE28B4DF2593564EC822E6276A845FAE8D16CC311BA1A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:40.845{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50876-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000668722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:45.071{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5218E8D541ED27B0F353BC653BF93FE6,SHA256=D1DF23CD4D20184D4C63E148755A1F0676C3DFD24A30084EA457A4793B7A3952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:46.587{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8D2921B72B7E361A72A458BCA259E9A,SHA256=1AED695E6AB7C54A001E7EAEA8BFF6520514AAACC780B3907277B7DAB7DE007A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:46.384{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A43E8F6CBD61DE66211AE38EE745D9,SHA256=3A0D554F94F28DD6F92E80B859C5FE49BB9DA1EAB578DB90BCF95C7C68C77601,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000612567Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000612566Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09b5cada) 13241300x8000000000000000612565Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75883-0xc8824dd0) 13241300x8000000000000000612564Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588c-0x2a46b5d0) 13241300x8000000000000000612563Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75894-0x8c0b1dd0) 13241300x8000000000000000612562Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000612561Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09b5cada) 13241300x8000000000000000612560Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75883-0xc8824dd0) 13241300x8000000000000000612559Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588c-0x2a46b5d0) 13241300x8000000000000000612558Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:21:46.352{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75894-0x8c0b1dd0) 23542300x8000000000000000612557Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:46.148{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEEBA07C93C5B2BAAB77A2980EA507A,SHA256=B93ADBF1984A77008D57DDAA38AFAAC40D3F13395B0B5ED6B3E3EADC69B925E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612568Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:47.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA16AE60B66053089C91D91038D40F8,SHA256=B44356BEF56D79CD93908DC7C001C32889C11606276C19D173829CAF1F082B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:47.728{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0045E95464324AF872A95926FD166F9,SHA256=81770AEBBBD868DC680FD06E2ECBF8E2DB3A83FDEAED0363EBE01866DCD96BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:47.431{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F65985007E3CBAA2C3B2ABCB8345CC0,SHA256=DF1AF9B21F02BFBF820453B7E23CA3C9BEAC929E42801D03C7563BFA37FA5CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:48.853{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=157FAA01C31E82F0DEB73AF13C56BAD2,SHA256=5F6E34F26D3207099CA913EF50934A39588B40C0B8544E4E897DA18CC27AC05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:48.446{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9AC6BA5C1F741242DEF190E5235D46B,SHA256=6BB60CB1F1D06B7BD302EB8E08A625E550244F90155BA255A8C5CA51C75AC6FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612579Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:45.977{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50877-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000612578Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.680{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F38C-60B8-2D5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612577Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.680{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612576Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.680{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612575Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.680{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612574Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.680{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612573Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.680{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F38C-60B8-2D5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612572Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.680{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F38C-60B8-2D5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612571Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.681{97C2ED32-F38C-60B8-2D5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612570Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5817264A34C51B1A0253C3B67EA3DC11,SHA256=EF733B27567B01A278BA95918DF91833F261B51F8F81DFEC1185D9C94C242719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612569Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:48.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA47CC89FDB0D75D22B2B64DE2578924,SHA256=9DA7621D1C1D35CBF0AF6D2B53F6FAFACF3EDF335ADDFC2C70234FFEA70F097C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:43.669{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58247-false10.0.1.12-8000- 23542300x8000000000000000668732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:49.446{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3097BB6E2762A7FAEFBD7D077E505710,SHA256=54649E6D7338B1E247B6DB7F299CAF7FB6A5C0613C68FC99FD3FEA681FFC33A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612598Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.914{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F38D-60B8-2F5B-00000000C501}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612597Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.914{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612596Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.914{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612595Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.914{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612594Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.914{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612593Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.914{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F38D-60B8-2F5B-00000000C501}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612592Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.914{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F38D-60B8-2F5B-00000000C501}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612591Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.915{97C2ED32-F38D-60B8-2F5B-00000000C501}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612590Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C63C64B7D832538A00E5289C12E73488,SHA256=1D49B1A2F607D89E0AC2ED232759A821D540B6509AC94B9D551D31030A030F10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612589Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.430{97C2ED32-F38D-60B8-2E5B-00000000C501}39244224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612588Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.289{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F38D-60B8-2E5B-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612587Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.289{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612586Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.289{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612585Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.289{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612584Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.289{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612583Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.289{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F38D-60B8-2E5B-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612582Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.289{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F38D-60B8-2E5B-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612581Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.290{97C2ED32-F38D-60B8-2E5B-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612580Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:49.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BE33636327374DCB63A481351ECC43,SHA256=C2802CE793D15097F108A7F45E22DDE5CC7306074993B89F4C0993FEFF663304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:50.462{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCFD59A49F5655E512586917CDD9D0F,SHA256=5D3DAA6097CA62557FEBD7A435CD2E8A22AB87D7658BD11FCE55E9F78A7DA999,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612607Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.586{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F38E-60B8-305B-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612606Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.586{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612605Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.586{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612604Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.586{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612603Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.586{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612602Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.586{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F38E-60B8-305B-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612601Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.586{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F38E-60B8-305B-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612600Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.587{97C2ED32-F38E-60B8-305B-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612599Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:50.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EC697A7F23C212FB3E7B6F8430D1DF,SHA256=FC6F9253C5293F21EEDD73623BD89D791E90425E6713F409BFF4DE596350A2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:50.118{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5B209BFC8B7BC5B27D47724A55B9278,SHA256=2216034820F329333628DDC0A091F4873958CEE7F5CF5565BCB256FEB7B88628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:51.493{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD046EB52C97D355D5DABE59D5BC7E1,SHA256=9206FD14ED8E59187580A9FCA6327AF837BCD9CD44E6B43A3EAC856A35E0ED79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:51.478{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42ABD8FF6DD5A1546FCE2239E16CB66,SHA256=30D16250223EF0626326DBCF17E470E506F0F22043B853009B1F4F8C5A90941C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612626Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.945{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F38F-60B8-325B-00000000C501}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612625Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.930{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612624Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.930{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612623Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.930{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612622Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.930{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612621Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.930{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F38F-60B8-325B-00000000C501}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612620Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.930{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F38F-60B8-325B-00000000C501}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612619Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.931{97C2ED32-F38F-60B8-325B-00000000C501}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000612618Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.383{97C2ED32-F38F-60B8-315B-00000000C501}52166088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612617Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.258{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F38F-60B8-315B-00000000C501}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612616Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.258{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612615Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.258{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612614Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.258{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612613Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.258{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612612Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.258{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F38F-60B8-315B-00000000C501}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612611Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.258{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F38F-60B8-315B-00000000C501}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612610Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.258{97C2ED32-F38F-60B8-315B-00000000C501}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612609Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88BAB3014819CAE0232AD6E2B07659FC,SHA256=02FD934C26D8DB3C6DAAD27957DE8CAB2CC3170321A4B9B5671304CB5378B6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612608Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.148{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AC3527F14B69E305DC34EA6DA40D3E2,SHA256=CAD82591EC99644CE3AF24CBC945A74BAB847C94A0403FD18C70E8FEC440FB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:52.759{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DC1C4D8ED3C6DC7BA2FA565166670F5,SHA256=8FF6D09488517E057F703562D6099F834E6D194757193E93EA144611F03D3A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:52.493{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9AC5871F91EA4F3AAC15A15F6F5FB34,SHA256=A4BB2BEFB1E0B51EC8B884CB603B97F3E9568B63AE60A66F22076D1A8E05674D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612638Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.727{97C2ED32-F390-60B8-335B-00000000C501}42324988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612637Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.586{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F390-60B8-335B-00000000C501}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612636Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.586{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612635Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.586{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612634Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.586{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612633Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.586{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612632Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.586{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F390-60B8-335B-00000000C501}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612631Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.586{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F390-60B8-335B-00000000C501}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612630Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.588{97C2ED32-F390-60B8-335B-00000000C501}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612629Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.258{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7A6EB359D670522D14EA2606C2761F,SHA256=B32B9F8051EC51BE8D28F2C5FAC30987201FAA4258C5105C8437C58AD1E5871A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612628Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.258{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B0E09EEA3FDE0B452A9D569B023A00,SHA256=6846151AE17434DB3E9485941931216D0DC5FF8965761811EB4D47AFC4EC45D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612627Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:52.055{97C2ED32-F38F-60B8-325B-00000000C501}12164364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:53.915{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6E9FDA6B926001264F6F9D8310C660C,SHA256=DBE31F5ACF1B4A66BCC05F63F10234100B2F8F0100FB748EF537D9C77CAF6EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:53.524{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2F1D521222118ECCE67FCD18C097BE,SHA256=8E77890AD0CA2517981E17BEC2B0D5CD0170900F398E010C20E55A02A84CFC3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612640Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:53.617{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0DB929AE5439EE841F47C96D7FDD042,SHA256=ACA153541193C7447AB49BEC5A8950CEEF1769B165218F0BE7C866E27ADD7653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612639Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:53.289{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D0AB9A35458F1C4BE2B805CCBC0EC1,SHA256=12827472019BE11603949C4B020AEADE80591D87C516166D3791519C601ACACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:54.634{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE285B39BDE0B5AB586FD6282BBA290B,SHA256=5439867E306D682C7F854484AF801157D24B5B22CCCCCEC96D97BCBE0444A0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612641Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:54.336{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C4E79624A68FF8627C02B4E32EA766,SHA256=04E70641C488DCE57EC7D72BA1E4F220A2B4E61BF0AD893995C33DA36CA48BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:49.591{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58248-false10.0.1.12-8000- 23542300x8000000000000000668744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:55.665{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B5D264714E8EE1D1A66929529AAA34,SHA256=19D643460F2F13BF6B29217AAC0D7D5EE721ED660DF2C4369BB86C2A02F88BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612643Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:55.367{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F6D79B71DB5A71A0E3B3D3AC6F86BE,SHA256=1EBE30F652BBD31DE8690BE350C7B51F1883B0FDA2C95AC4F6DCC06BAD16AF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:55.056{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C1B60B562DD69882736823F3FC3614C,SHA256=A6AD7446893E0F80343A8D4828F4F76A62288B474987C01DB446A034521E7F4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612642Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:51.916{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50878-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:56.681{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AEF95E1D6E2462946A032FDE25C179,SHA256=2366E821A060E1771E8CA76BD5BC2C89E850EBB87AC8CA8651BB52F3CB8B1009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612644Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:56.383{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9044D9FEA6CF048D9D47FFE05BCFE20B,SHA256=982BFA8B97B7D7A77842B0AEA4ECE1A51FC95E8DC2FEFCDFB91CC172BEDC5CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:56.306{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41711C8FD77BF657458190EEA6F981BA,SHA256=1F2E5FEF0F796C35157292DE8F7D7D71653C85D7D2AEF998190C082D6669A7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:57.884{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17039C370C4F56629866C279D3A4B495,SHA256=1DF77569922A905080A3E13FF2E49254FD9604B876707768027E2482A738B63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612645Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:57.398{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31A1B702900852982C7B64406B83024,SHA256=28AE54F2E1B98C697E017C4622735E42F4DD3D1FA491DCBCDBD9DE259D3FBE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:57.603{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFC8C82513A544A127868AC91B49F14B,SHA256=FBDADEB1B8A05C7D7B9AE429D218EA372711A6B93B150DCD4993DAB9F4127A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:58.900{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6F3211139B11A39F3E6E4A883EAFD1,SHA256=40D409E355B565B450A5FC1978D43FA4703D94A563E27D94B5635467B935EF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:58.900{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA987CBE022040A302F4982738CC086,SHA256=09B7A75067C4F7F767F68AF7728C1ED9EF5A6BF7CF872A23E6B9A8B229BC2B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612646Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:58.398{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A353041F42F54548E76B6CA12185B9,SHA256=D3FDED7625DFA0B6CF6F16CAB5FC37137D99FD42A22B6EB75D9096543B1A8B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:59.945{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8A40BFF55C1A982CBA50ED23A2FB60,SHA256=5B8D504734C8B6B582D6D64894F7F0BB7C2B16B8942CBA16C0D086AADED8BF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612650Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:59.414{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5CF7D3B6164F8B137ED01497652DD9,SHA256=4634864B7B584E60C7B2F49A704BC8E2ADAEAF00BF7B61165B2616AFA4DF5603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:54.700{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58249-false10.0.1.12-8000- 23542300x8000000000000000612649Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:59.273{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612648Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:59.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BECA35113EC64169F8A68C8B9A65B382,SHA256=66FE67B2AC8F17E499AC6A9328682C67D4F69EC27392FC0C26115F5FBB34E481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612647Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:59.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1EA55A6CFD971296A8EAC34719B1E8A,SHA256=33F7E4994117C6F94EA2245A6924978BD44B148F06564ECBE65FF7417535D926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:00.961{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76A2A03DC8DEB810E423951D9AC63B4,SHA256=D7B93A002FE9D7C287BBFEABCDDF9A66409A8B376435F2EA610BF8B79A730DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612653Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:00.428{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73A4FE7F49ED935943190560F29C297,SHA256=E2B7B2224C7B8DB603E82AEEDC501B33A8989ADBCF3518D837D6529B28ED57F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:00.102{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CF111326B92AD3A7B8F4209C660CC5F,SHA256=41D25D99657EC7250B460910044AE081A3ECAEFC21618631BEDA1D9ADE82C2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612652Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:00.303{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BECA35113EC64169F8A68C8B9A65B382,SHA256=66FE67B2AC8F17E499AC6A9328682C67D4F69EC27392FC0C26115F5FBB34E481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612651Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:56.977{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50879-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:01.992{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CE3340311CF3A357CDFAE9E99A1463,SHA256=0C79391A04094FAA4FFE28B35A6D9E02D25D13931B7468A4EE280F83A7557BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612655Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:01.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9811301A61A6BF5B4447F7C786087C4,SHA256=EADC5DA79D936ADEF56EC73C14587B86043DB4928DDCEE5A09CE07ABB38DCBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:01.180{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=493DEE85A40DE5FF6D3C070189F27D1C,SHA256=9FEF38B559EF10D26416649A601DEFA284F09CC4F5068D93A41E65B63AAA2AD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612654Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:21:58.102{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50880-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000612657Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:02.447{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89CB5AA5DEF29FA00BEF0FAA991431F,SHA256=1B60E9BE55A02C344085F06CEC0E048425C223E7FD222DA07BE9F678EB7D755E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:02.336{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F267FC565E3C45248021D347A7A2C4E,SHA256=F9AC52305E64DE54CA15992F4777047B7197ABC8B64741EFA5E6BF328D413B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:02.227{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612656Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:02.431{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DEC0B77996509D625AE6197553BFE8CF,SHA256=55E7158FA9FC69CB68E142316393978AE36F798220415796D64706E1529B253B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612658Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:03.447{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D359D0EA062C1FD52277F22F064CDE1,SHA256=6C5B52C5E1BCAD2F58FF3385D4BB3713D273FD8D863CA47FEE67DF84DDC2CC40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:21:59.668{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58250-false10.0.1.12-8089- 23542300x8000000000000000668760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:03.445{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47092C126AAB446565A074516EEC64A5,SHA256=38F3910FF1322E6796110E18554631072F1D67FEC309522622B70EE7F708A1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:03.008{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E38F6FFA0876AF593867B692CCD222,SHA256=B7F139D8812AA1A70866CCEF4AF22267C9BA5E622776F78B4A003D564460328D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612660Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:04.462{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E4180239634A9D921148211746DCEF,SHA256=D4743A7D65BBF311E0A7DD1F582A4B712325036C9D43F40F67566E13D9460280,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:00.606{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58251-false10.0.1.12-8000- 23542300x8000000000000000668763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:04.710{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB043A381C859C6A385C521976529D41,SHA256=36C19DB8C6F453EBB2624824450F54211BB324AA28502C41D422466BE95B80A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:04.041{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3673D04BFA44680273016DA6DE3E58,SHA256=DAD92035BD3686E64EF51026EB3D8DCD3259FEB348D85E110A04BC69FEA90220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612659Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:04.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=542C0FF24CFA09B72E52065639AD4BB7,SHA256=0D1FD7B975ADC110878D4ACE32B3B08522CE5D4566D47E30613F4D37387A6C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612662Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:05.478{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37F3C21E3DD6FAB0D533C8E1A49B026,SHA256=37E22300BCD0851693D2B81402D66980D026720A7A32FAC5BA29FFB640391705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:05.085{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68538B69C2CD6CEC4A048D7FA86CAEEA,SHA256=24A7299B1BB8DC4930A3A2C2AD7EA7528EB239748381236039EE50313CC453C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612661Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:02.076{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50881-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612663Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:06.493{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEABAAF2170794729A66E4F78DFB6611,SHA256=A487AAC27836FBD6246D8FF6718ABD7E3997C77F77C0CE87D0472291786B00D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:02.480{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58252-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000668768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:02.480{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58252-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000668767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:06.199{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26CCE7DA2381447F3CCBDE9FB6E97F48,SHA256=43E9C233596498D07084086F251A7EEA8240B6ECAADFFDBC25DF75B232ECFC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:06.089{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E65D0610B5CBF21343A16B1BCC3AD03,SHA256=3CA0B6A1CD43245BE819BB7D51A132A6E0392756153749082336142E7A641220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612664Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:07.525{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E92ED48105BAD1EDAAE2648A975446,SHA256=FB654DF8F11046468B81B49A0C00BB05900CFE2ADC640F621733E8474D79AB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:07.355{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B905D78338FC8EDF646EFB7680782AD,SHA256=05D41E4D5D2DC96F5D518495B7D52197504157AA3C82FD1D08D84F943CD7DABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:07.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FF6C9E3515FEC98B8EC34E944FF822,SHA256=058F4673B9E3EFB25D6AE820079F4E627C99359EF92EAD182BCE868023CE2A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612665Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:08.540{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080A40982ADF4FE0B21376338DDEE1E5,SHA256=94748A4BEC68401B5C97EF41E38AF0557FB6E21A70BCEDA2C9BC93AB50C1E05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:08.496{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90685DE3CAA4C0157124D2B31E5CDF30,SHA256=164110DD6D5BD6A502EC7563872FA13691F54A72BC219193DD3F732986819614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:08.152{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C142FCC6C65C043F360A838BA54DEEF4,SHA256=959D06457152A8EFADAEF652B50C70EE721D9AE8EAD907765BA2550CC186CC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612666Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:09.540{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E011385DBE05689148A6169098EF4E08,SHA256=C4C0C76FA10D4C645FA03FC68CB4BF9861FC83ED86C1904773463C7777DD3E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:09.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F8ACD9887740219F96762D0EC18792,SHA256=4C60892111A820B6815BC21A0AFDC84F45AB1E634EB8B627C4E43F03ECD27488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:09.167{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8424870DB27A3A8358771D4BA09E7B26,SHA256=145BAF73D34DD377F2FD59092DFD384D2D4665F5C57DBC8E22CC7A42429DE974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612670Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:10.572{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFFFD92DDBA745BC79C5CA413BC5F6C,SHA256=CB3D5F5A82F3B84C8F8C9B4324BB482EB1FA31070007A4B71A19940EA5AE6240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:10.917{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5020CE155E5D13F684DEA9B33B53BE5,SHA256=92A360E1AFAF74EFE1FF241241360030E6FD30EE8C491E05021B6B117045B1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:10.214{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756BF36658A1596A5C15190E06575AA0,SHA256=317719962D7DD30B455C6B29432D6575DC3B54927D8D4DD7605CB9F43BD13154,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612669Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:07.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50882-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612668Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:10.056{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6153B11E3BEDA1ED97359C62DAB8467,SHA256=7A1EA5160CCAB0814CA1CD5958C462AC1F0F06F051A5606EF88978F307557491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612667Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:10.056{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAE7C5BA746E399D2FF10AA60E9E72BC,SHA256=D8CB6248EC46C7814A169071D0B6E67C5D744DE335278CA70C3086440A96F5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612671Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:11.587{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA96191EDD68F639FE4AFFA290CF130B,SHA256=7CB245EDC2EFCE55109393C2BEFA94A9EAA5771D735282047B1BCB3AE02210D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:11.230{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83A53D8D60CAF5DA30E1A12704C74F1,SHA256=5C26D7518564A6A201D0B7029F724A4E893E7F3E97E4A78898489EC9568B33BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:12.371{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A5792EF26E15AF2869A31F1AA537AB5,SHA256=C7E92C91E836819EE66E157368E4FCA44DF2570BC668BD67964991C4426CC141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:12.246{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B49AFCB15D7672E94DEAFF658E07968,SHA256=30F360F521AC2BD32D5E1D7B7AB59F2EB3EE412484305CAFEA809047CD6F6E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612672Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:12.603{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A683A82A296A5E8BFE7DAF5F97B5907F,SHA256=C72734CFE5AF028EFA5EB064BB8B1DAAC0B315FB23C74189025A9B9FE91427D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:06.593{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58253-false10.0.1.12-8000- 23542300x8000000000000000668783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:13.527{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E3162DE5F0EF3811FF2864D073D5E7A,SHA256=A01BD3C58C3C0A7462BD096B53AD2267C57969EB87CC095F86FB865E0C7FC263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:13.246{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2F160700DCB82814EF968C6295FB19,SHA256=3831EEF6C59435B04FBF0EE83E516E4230108004FDF9F00416321775FF96C862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612673Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:13.603{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313283896F8C5AA80C8342AA2609B69B,SHA256=B39F0DDFD591D4BD54DD39B7BA66225E93E5C823836CE98837D548114BC60990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612674Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:14.634{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947814CA2E955412C0F26B1FE3B65FA6,SHA256=49FD5A953DA68B19FD158027411A6128E4A037120A547AB11799437F32BD2CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.902{D419E45B-F3A6-60B8-F950-00000000C401}20845232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.777{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCA83C541B5461E3A005BAAAB193D858,SHA256=71CD2747CB41B5EDCA5BE88D731458698169A6E98DBA1092B1C76F157FD23256,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.730{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3A6-60B8-F950-00000000C401}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.730{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.730{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.730{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.730{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.730{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F3A6-60B8-F950-00000000C401}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.730{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3A6-60B8-F950-00000000C401}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.731{D419E45B-F3A6-60B8-F950-00000000C401}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000668793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.277{D419E45B-F3A6-60B8-F850-00000000C401}31203516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.262{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA69F8FC16997DB06171EC4ABC433EDF,SHA256=48180AB4C57A4314890CB9CC01B219A8DAB0A86C1D2DA6DE411F713E7407F3C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.058{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3A6-60B8-F850-00000000C401}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.058{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.058{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.058{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.058{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.058{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F3A6-60B8-F850-00000000C401}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.058{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3A6-60B8-F850-00000000C401}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:14.043{D419E45B-F3A6-60B8-F850-00000000C401}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612675Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:15.665{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89828A16115E9C0BDDF10A517CB7521,SHA256=AAE8E74752F3CCDCC8A93B8E4CE759FFE77352FAC489C026EA4AFC34FEB72614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.902{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3A7-60B8-FB50-00000000C401}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.902{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.902{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.902{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.902{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.902{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F3A7-60B8-FB50-00000000C401}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.902{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3A7-60B8-FB50-00000000C401}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.903{D419E45B-F3A7-60B8-FB50-00000000C401}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000668812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.402{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3A7-60B8-FA50-00000000C401}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.402{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.402{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.402{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.402{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.402{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F3A7-60B8-FA50-00000000C401}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.402{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3A7-60B8-FA50-00000000C401}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.402{D419E45B-F3A7-60B8-FA50-00000000C401}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:15.277{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD68D9982DE0B1608D7270507859659,SHA256=25B98D60009D6AE18F9B42301DA58A120B983DFEE2D60D4D4E34FBEEDA03D587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612679Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:16.665{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCB40B3E00BB3CA29E62723884D8FD3,SHA256=87260018BC58AF19AC55FCE0FE1ABFF80DD28BF7A0E56B34108970918F76AA84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.605{D419E45B-F3A8-60B8-FC50-00000000C401}51566388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.417{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3A8-60B8-FC50-00000000C401}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.417{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F3A8-60B8-FC50-00000000C401}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.402{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.402{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.402{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.402{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.402{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3A8-60B8-FC50-00000000C401}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.403{D419E45B-F3A8-60B8-FC50-00000000C401}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.324{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94A21C17ABA8E8EA562F96F136242E5,SHA256=C081BFC1EE526A07BE03F775B1312A4F2A8C909C1B4E2FB7D5B9FC2018D99168,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612678Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:13.885{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50883-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612677Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:16.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449388CA0D57DC9E3D8C1273490AFC0F,SHA256=4C218FDC580EA26BA50F3B72B7D038C3B54324F932CDFE2E6D1A0BF8F2B3F805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612676Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:16.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6153B11E3BEDA1ED97359C62DAB8467,SHA256=7A1EA5160CCAB0814CA1CD5958C462AC1F0F06F051A5606EF88978F307557491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:11.702{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58254-false10.0.1.12-8000- 10341000x8000000000000000668822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.058{D419E45B-F3A7-60B8-FB50-00000000C401}68566436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:16.042{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AB87967E65D1FCC16EED684EDAF4031,SHA256=4DA6E15AAE0F3BE4963461A92A0429C77D5F5B13FE5AA382D13CE6CA0ABC546B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612680Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:17.681{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1CCF0AF6AF3E21D78BC9B6703C90A4,SHA256=A3F9FC504DDEA805A54563EBE2E4184D59E4C8473F48D6FD69B65429C3D258F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.730{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3A9-60B8-FE50-00000000C401}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.714{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.714{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.714{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.714{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.714{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F3A9-60B8-FE50-00000000C401}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.714{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3A9-60B8-FE50-00000000C401}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.715{D419E45B-F3A9-60B8-FE50-00000000C401}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A33E199DA2D4F4088CCC9D3EA2954F,SHA256=F362A8C432F6F6DA06D9B382E968A9821E76A03DB7E391BF3BF55AC3F0BD9D3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.042{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3A9-60B8-FD50-00000000C401}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.042{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.042{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.042{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.042{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.042{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F3A9-60B8-FD50-00000000C401}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000668836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.042{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3A9-60B8-FD50-00000000C401}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000668835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.030{D419E45B-F3A9-60B8-FD50-00000000C401}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.027{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D401D8C63C01F0E6C8874C0E6BB3B349,SHA256=5CBE90AFA0D15957C9BD9A73F48443468407F36E71F5B9799D0A2B43712810F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612681Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:18.681{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B08E4FE8FDDBAA3F144A0855AE5D48,SHA256=4EE90E12B94455E575E6ACE7D14F9AB5BB960E82342682604663E392C15C00F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:18.527{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=267FCE7C000D458FA62B79A562958673,SHA256=900BF138F3BAB62252E3E8022B3E8E6FFD73BF724253D0E37C80E358148DEABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:18.527{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ED8249132ABA2B2E2C87AA92672F09,SHA256=CD7627A86E884DA76B8513E753B278E6F9B45D4A0DB2EC75B1587FDB7965258E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612682Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:19.705{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29710D7D6FEF62438D674B01233E3305,SHA256=D8D0AB7DCC67EF8F3EC8C0BA5D5814E8CFDDC2282BBD64F381D052B8ACF3C0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:19.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4F4775FC2C0733FE9ADC006610F75EA,SHA256=A61FDE63B4CB307C55845F7D46166BE3E8773660FA70A1BD35ABA349BCAC7D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:19.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE12B87CC0A1A9E6F0110374D217F3A,SHA256=8A7B3CA890C3752CA8FEB78DA2ED9B4CDBBADE0DBD6A64697CAA6B91387E6BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:20.801{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98180DF4764366D2D6CBBC7BF46AC4AF,SHA256=FF088BC8CE2AC6AF2198465F9CFB5DF12DCEB86F91D8F17BD4A2E4FC05A220E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:20.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E12E52308C31D46B6FBD53699C5F684,SHA256=FF220E7B4CD833329FB18C87CB4B43E32A3F83300B7B83A8F7BC5D145A6C3861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612683Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:20.736{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDCCB732A04EBA28C8C848FFBACA8DD,SHA256=99F1BC171708157B57DC9AE4913A2D912C6C0A20D6BEE3A1694A6D42D938D86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:21.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C810DF7053CC34B0FA452FFB0F98EF06,SHA256=297EAA154FACE6F6981039A8845E8B7FC7B3E311E03C61C874F46AB66D43FD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:21.551{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A8DA7C858B408F57B8686AB3CED707,SHA256=BE585C04D6904CE4F20336B70D27EEEEEADD87508E6F6F882908C9F2501F1FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612685Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:21.736{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48AD3FFE41D304F3BC4B20B8739D696,SHA256=2F5A43D1F062B5FE632A24CF9EABA0D0D72DF75104DB5714FCCD370872DB4635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612684Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:21.064{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449388CA0D57DC9E3D8C1273490AFC0F,SHA256=4C218FDC580EA26BA50F3B72B7D038C3B54324F932CDFE2E6D1A0BF8F2B3F805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612687Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:22.736{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3F7E28F3B8130C036FBCA3B3AC6204,SHA256=678650825E44EBB68A99179D7FA9209C39FF82D6B1DA41D2E59EB9901664F484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:22.973{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5F08A36B804B744E48FA9C4C5B74EBF,SHA256=1D2A61E9CFF4D921665D9B821EF8D0C0B0FFE8BB74DBC824CD4EDDDD720C5035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:22.566{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0981AC72368F852E2AF5816D7AB2F980,SHA256=C4ABB289BBC891B72F9BD27DBC03508E8C6FEE6CB4EC4177B147C1E54AAA156A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:17.666{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58255-false10.0.1.12-8000- 354300x8000000000000000612686Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:18.893{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50884-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612688Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:23.751{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D162F522D79CB4ED9FECE1757C19B87F,SHA256=8706B22DB4AE5EECFA77B84B1D6B287DD9A85FD74DC5706526F4EE3CBAEBCB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:23.582{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F40E0381B7FB286F79E8D2B2E78AAB,SHA256=B0F0662CACF8ECCFB0B80A013EBE7EA7BF98BB92C642B2D97E5D49977040CBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:24.582{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BABECD234C3C07E3DA63AD7C4D2F172,SHA256=AE2CBEF12293F41CDF1B18B68402DBD453D460410383D3BA7F4B46620CC3F1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612689Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:24.751{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6FAF84B792BF48B2EA33EE08B11E02,SHA256=0843D3045E5EF4814413301D29506A5BDDC5F0BE338674DB91B5FFAC43E93402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:24.098{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCD1B900C90B826F6B07D77ED7D45317,SHA256=67EA328E3D72BB3576BC7087DBA703DB254EE9CCABF7EEAC68E05F178AD2E5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612690Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:25.767{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75CB71C40921192294DBD45E09EA5D6,SHA256=E440E418E6BC0957B39217B8A25F928BCB56DB31EA157EACCE8A70007A3B5D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:25.598{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF812E42F987FC9666D78D621225473,SHA256=072711EB53147EB02ED90F7656F056362191491DF37E449C7AF7467E4756F421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:25.348{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE51ECD5F347D0734A7BCCEF03D71B0,SHA256=15DD5B8D66F67E451F7B6E6E7FD04DEAEBC5FCFF08A3284296CE7573B9E58CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612693Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:26.767{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F043F2DA87BFFDED80B7F74FE18E15F5,SHA256=2B27CF97613CB8466BDBC3A6B48E8A477747EAE29CE0CCCD48E9889FA132BAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:26.848{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=758512445C53DA61AC4AD94A3E78F458,SHA256=C438DF8119AF1149472386C45F6EAB74F399BB7178375FFE3EFD875B5BD493B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:22.695{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58256-false10.0.1.12-8000- 23542300x8000000000000000668868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:26.598{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CC9C206969EDBEEB62323ABCDED368,SHA256=0C753BF86BFDF17B3338F617DFC1DC8A853194DC3D0707F3283BB49E5814A43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612692Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:26.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=327060ABFD5C6AF077E23DD021CDACEF,SHA256=FC61636ADDB6A0766BEB58CD4AF4385229B107237767F8BA1427264914D7E6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612691Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:26.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C95F953C6DF4B65B6EC89CEE2F523BD,SHA256=A7CCD77DA5AF30D6A4DEF69347A66CBB0FC1488FE8887B920EE12DB8373F28A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612695Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:24.049{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50885-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612694Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:27.783{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16580C26154F93202A1D8E9161E16C8D,SHA256=B7A7FBB94E2571A8E0E3ABBF6DDD87D9F51BE6AA4299D2BC6DC630006685060A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:27.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D66E02116C3E00C207801917A113C5,SHA256=CDEB3C5CAE068BD3A3FBD4B1871C462052BAFCADA9698EE9756ED68485F5A08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612696Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:28.783{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B23EC02E4FA385B07FF2B0E96718EF8,SHA256=9ED3C00B5F91EA3F3C1393E76430C3F4D935D71C19141BAA024549799CD86EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:28.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96126CEF435CD4A06C376956AE8176A2,SHA256=3746B5B14C1BDED11468F05EC16E60908FF03CDB22C4E4F6862253D0786F2870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:28.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84333607A1B1C8423439A512352469AD,SHA256=70C9D1844323B62956C2B66FA2908DEB13B70AA3685C912BB5D214B59955D0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612698Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:29.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DACD5C86F80EC88F761D18A5D620D84,SHA256=A27FDE84033EF3756CAE1F3211E9E4C28074ED30629157F613A32A7F677F90E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:29.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EBE244BFC4B741FA48E00FD06190C1,SHA256=390E3F54FEC11E78135FA51A2F6D8B9C5423A020B3AEB8B60F49CD76BF274BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612697Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:29.142{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9b67207.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:29.129{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CEFDED1F0092723306FDC74A93D4441,SHA256=406B5FF60CFB71AB9E820C842B6FDDE6804AF9CAE72E7155DA2BFBAE32FBB94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612701Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:30.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3376D4402C30EF68564455E8A8A77021,SHA256=BEA71C9302CDA99423BF4497477B7850CE4EEC4199A8394BA7F9F5ED68C9B2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:30.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A051FC1D27913067D8A09AF52F7DFCB,SHA256=76689A25ACBC970156489B9EB7A0BF6A4638EE738CEFEC1D33DA8C9B0688291B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612700Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:30.673{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AE4920B39CB370BCDF3DEB1C8A866475,SHA256=9FD7B9BA75BD69BF6A053DF8A357195F8BD4F68167D9ABE253B8BB94145EE927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612699Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:30.673{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0EA3892C3BB19037965FEC45A0B1369,SHA256=1EDF5D98B604E4CEB37EE7573D0BFBDDEF07291775747CB8A823A08F2C4E96FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:30.394{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD6EF69F211768C10EC9A8BC26C3286E,SHA256=D91B47BCE3892EB4FE63C6D06745750191E91FEEA8444FA2B5E5B78712014FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612702Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:31.830{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276F497E2362F4B2B90FB08E593E8D17,SHA256=E6B0311872C23B28A351F8064A30F39B7F3BB20E0E85789371C72B37ED132B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:31.941{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0202A648EF19F62D7D5C90735015FEE,SHA256=D5D9344DC796C525F2F952C6FA07690E2D7B8B25AFD75F6CBFF5476FF8AD59BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:31.723{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1383A6C21CABEF47AF1A9853D9716F,SHA256=C71972C7A47DC9D7DF71AC785ABD78F8774451F99BCC56C57F99187158958E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:32.769{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36A17B61979EC604AFC86FD357F49AF,SHA256=85621F06CC2F1DF698BC2AAAFDE6075954714CA87A512F6FEB842ECB5A73059E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612706Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:29.924{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50886-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612705Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:32.845{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86BA73570CCCAD7548D90FC99C794DA,SHA256=20917F0E1C75C7425879E8EC2B5AA66BFB05FEA318D762399D1394803828E11D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612704Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:32.111{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8460D4F029B95A0B996F8FB2084BB6,SHA256=9FA1B26DDAD87CA8E7B159E6E0C032D1572A074C45643C28215B0FC81138E48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612703Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:32.111{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=327060ABFD5C6AF077E23DD021CDACEF,SHA256=FC61636ADDB6A0766BEB58CD4AF4385229B107237767F8BA1427264914D7E6BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:28.632{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58257-false10.0.1.12-8000- 23542300x8000000000000000668880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:32.254{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=44090C16908DB6AF3AA4ECFDF652BCE6,SHA256=99FEC90034019AE68F3414D02D83DE0C6EB963D66D1DE88470B149F1A65A090B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612707Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:33.845{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081604A5CC90DDCD05B3A45F037CD067,SHA256=B586728B9587E7B7135D2008A6798689F2DABE6A4D8C90AAEE0D53BDCA99680A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:33.832{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36988FEF0F9CA5F4F4429146C04AB76E,SHA256=92157DB3AD479A0A93C26836A80F8E06585D43742FB12F1BDAF6984A467C5331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:33.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A1ACA1C4733739B10977FCE17A195D,SHA256=0E43450D86BC326010BB2FC6A29B788DBBE12EDA364E4158D935A7CF39B18A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612708Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:34.876{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB414B566E955F21040C0D6A2CB0CA91,SHA256=54DD04C9CA77B8B6EB51BFD464D34C77D4842BBA919A722806C80752225FEE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:34.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940B90EAB0233F22E7E45A1F5A8A5D7D,SHA256=4450C124F648FA228B5AFB3EE051353399C388B05A778B98F2558AA2EDCC8C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:34.144{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5C53B02281B89BA484E631759384232,SHA256=72A5EC59DBE77B1F903188450E88832EC8B9EA3F792C2D7B90C7A2BEFF542342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612709Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:35.892{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704E647C80E66C83A16C9D207D570EF7,SHA256=5A431ECB9921D8D8DFAA7E9720983FCB71D9EFF8934E5B64BCE828D9C2BB92DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:35.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21C8181FA691E975280B74B788B3AFA,SHA256=98523058AEFBB79F19EE86965833D75F2B40D69066E0E45C91F022B39A7E2D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:35.285{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=678D587961D9E76EFA9507D25A0996E5,SHA256=F8C0A3CCF24A646039AF1BE66CAC61F61AC278ED1E109763C796444BFEEFBFAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:36.988{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AE0A161533A80AFD6AAEC297B0BA1C,SHA256=86977CAA2FCFF982DA95D2363BE1842C4349BB7C6F143B94F6069944F1A2E7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612710Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:36.923{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F63827CE2C12898C5AE153448162AFE,SHA256=AD57663C368178C708AFEB965BEA0B11BBE7FD96CFE8053B5453938AF29E2A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:36.551{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CBF95BCF029BA8F2568197F463565D5,SHA256=3A369EF44CB3DAA2D44CEA6DB4A57727F353FAEF5FB238E4C04317097E6267B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612713Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:37.939{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8399F382A6BC57704DDF29AB32F5EAD,SHA256=1A5C5C9AAE9FA8AAE12224452D2F5A5128B1B87623B68956AEE2BE70FCB17304,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:33.663{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58258-false10.0.1.12-8000- 23542300x8000000000000000668891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:37.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17428353EB873D26BDAACEF333F6C3CE,SHA256=8F4BD1EBC231601A386FDB4D4E1C3C901B8404A28F1CFCA4FC28BDCEB1A7A489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612712Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:37.251{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B4A6BA448578E662B8A8E325AB183E,SHA256=3E5011C52A0DF19B1E8585E3944BDE27E1AE88E13C2812BB1DCCED443C35EA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612711Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:37.251{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8460D4F029B95A0B996F8FB2084BB6,SHA256=9FA1B26DDAD87CA8E7B159E6E0C032D1572A074C45643C28215B0FC81138E48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612715Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:38.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3B2D8D0E50DAC9C4010D318A1EC9A2,SHA256=5880B977FF6090B4F96366C2F821F75F2ECA60730FBC4501937EEDD534D7A672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:38.066{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26C3E24CB7DFC90DE12F8A426B46083,SHA256=26B051DBBC7751FDB003C385DEDDF5849D624276325883BED2EA5F353D64FC33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612714Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:35.080{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50887-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612716Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:39.975{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8548B2E23496E22681FE6AD86B0FA19A,SHA256=B0E1090745A3961279282A4AF6482D1427849E84382E0D8AC8471E3034E763E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:39.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=360EF695B0F02AA00156DBCE9561DE6A,SHA256=33C53DB8F4C4327D1FD118CF2D389FD6484BF305D0432B88512AAB494F535FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:39.066{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C5674B7166B91A50872F66ABFCFBDF,SHA256=D672C0335EF834EAC2A36B147AA214CC533FD93E5223F03385FF5CB4ECA27C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612717Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:40.990{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA21AC7B88A07C1F73856DB5B11215B6,SHA256=737D3D8950998B727D7EEA078BD8E63BD1D743FF50230966C9259A62FC09B0F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000668926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.509{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000668897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.415{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CED0F6E4C5ACCA6860681AE11091971,SHA256=E475D818CC7096A4D7FFEF131C4635BC202B0CC4CADE7389139FCFECC6323EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:40.071{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31FFEB6CAC738DA882F67E3B5C527AA,SHA256=0F6685905978CBA5842AC073D50C641E3C46D9310651B4AEEA0FCDBFAF40E52E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612718Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:41.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99175D39A2AC08B14C763A9D977A7683,SHA256=69D074613F4C8F68DFF0BF5B99714B6A4492666EB92185334D93886E928D6D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:41.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DA470EB69564483DAD59C5D6504EE1A,SHA256=3615D12810F2F622E20EDBD8BDE1A068C273280B382E3B4A000075F3A0AEE4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:41.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD848436EFA8EAC06F5195707435A9E5,SHA256=053720A2F7030E2BE161BE362B48BCCC00D9C4B7CC9B12277D6ADEB260433FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:42.243{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C36BD061785BB4337372D661029F078,SHA256=A323624C99E98F01E3F630847FE69DF97066878F1199751B75747B593ACB6EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:39.684{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58259-false10.0.1.12-8000- 23542300x8000000000000000668931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:43.274{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E79CA1B642E596AFB93E012A11749DF,SHA256=077CB86995894A3A5C10189C8D7C90DC64385682E558DBB1261E82B6CC35F06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612721Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:43.178{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F987F533415528807E5B1774BA3C722,SHA256=760798CAF44557476BEC0762D81ACE4CB71308958401A25B6FA835F5199B078F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612720Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:43.178{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B4A6BA448578E662B8A8E325AB183E,SHA256=3E5011C52A0DF19B1E8585E3944BDE27E1AE88E13C2812BB1DCCED443C35EA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612719Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:43.006{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AEFEC014DAC304226008B16763C0CE,SHA256=6B501B9B1CC59D5A946DCFB837A68B8EB2D0C4A353C12F98A17091447CC69800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:43.040{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8120BEBFB69ADE908E429539B1598B35,SHA256=6F46DAF25E35B914D42588256172175E3C3468334352347216D9E26C531E2435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:44.274{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54954E7A820670338F1630104FA69CFB,SHA256=73D8B60E1B75064C60763AA6CF5C61620C6CEE1AA62ACAB9CD4EA8ECA566B4AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612723Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:40.991{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50888-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612722Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:44.006{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3F8925CC83CEE98552FB68FFE5AA37,SHA256=7B0AC338E857A774C9F25BE5AC0E739F27564927A9290F6897D492658DF43810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:44.071{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F3D7BF6C97EB7AB8F6AD28BD5E45775,SHA256=D0FB8B58BCC6A104904130E4D3C641D2506EEEB3B8DE065774C84F8E93C64811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:45.634{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A10F1F5929256704A15E85329049B4FE,SHA256=0951D7E218E59B15581CF1AFE9E236FD1C77D9E27A0DF6D0735E95AF992F9218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:45.306{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0666E20552AE9B7B1B12AF7BD66931EF,SHA256=E1701D045963527AFA63561BDA983CA8E8D639291E3C710C69C5A057F839AD36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612724Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:45.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A185E0A877A9BE4C67AB548F3EC435FC,SHA256=B381C13395DC0F0EA4A2B553CDB23945261066AAA24A103418CB81CE3CDC931B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:46.696{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=849A08D0EAA2BB3A47FC5DE6B6B3632A,SHA256=FC6661ECF2C92F62CFA94B6A33A11053B40E85CEFAE5675F3115A811D73673A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:46.352{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CD651660E244905EFDE390AC7217E1,SHA256=20D063C17B52F2F3527E208BB31F4E4744912A309D28BA55E58C62A0A4DA8A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612725Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:46.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B9D50C8938E36616F5EDD90A38B5F9,SHA256=5FD622A19AF01B05EA8FA5A4E361D5A667DA50DCFF59CE1B31754A191733DD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:47.821{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3E46FE6DEB8EA760B422B6519DA8E8F,SHA256=7A5722FFFD4FB27A3BA5BC92AADD3229F767CDCE94EF01D22863A3D2EC1A8903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:47.368{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09E871247720BBBC606ADB626B0A65B,SHA256=C35766F8025D47BAA54486030C7F4B79CF325DF7FCD5E0DCA6F9D5E512AF32B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612726Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:47.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5541946B042B4363F04190FED051CE5B,SHA256=C12625157795F32AD37288957D2024F3AE89B24C0D7FFA289E0201D570CADBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:48.384{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB22CD9FC3DA2AC0C44040332411273,SHA256=10DFDF6E82379B72ED533BE6D2279BE273D78FE458EB3B60F2242B9B37286E88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612736Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.834{97C2ED32-F3C8-60B8-345B-00000000C501}4321556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612735Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.678{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F3C8-60B8-345B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612734Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.678{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612733Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.678{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612732Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.678{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612731Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.678{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612730Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.678{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F3C8-60B8-345B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612729Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.678{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F3C8-60B8-345B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612728Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.679{97C2ED32-F3C8-60B8-345B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612727Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:48.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA0AE99B0627EAE8CAB318AE5EBBA13,SHA256=29EA29027C75220A04FA54084074A2B396061A3155CE4B66C6270A5BC636CE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:49.399{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9215E453F2CC5F1E033BE3B574D161AB,SHA256=EC51E699EEAF311E4C19BB28CC33BA405A065C356FC8C20ACF364C0190ADCB21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612749Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:46.991{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50889-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000612748Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.490{97C2ED32-F3C9-60B8-355B-00000000C501}325168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612747Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.350{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F3C9-60B8-355B-00000000C501}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612746Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.350{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612745Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.350{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612744Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.350{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612743Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.350{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612742Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.350{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F3C9-60B8-355B-00000000C501}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612741Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.350{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F3C9-60B8-355B-00000000C501}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612740Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.351{97C2ED32-F3C9-60B8-355B-00000000C501}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612739Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7025E872CF2DCD0CB7F0BF379B1D3600,SHA256=CF4B99BE773FC275CE2B81DDBEE24507F57E184526DBAEBA1D53E3FE9347C845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612738Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F987F533415528807E5B1774BA3C722,SHA256=760798CAF44557476BEC0762D81ACE4CB71308958401A25B6FA835F5199B078F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612737Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:49.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457FC0A7F2570B507BFADA98F6991EB0,SHA256=576CC3E4DC1F09DDF13B34FD611345F1D04812D7259AE75A32780A557CAE56B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:49.071{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBB34C646F7EDFF7715D1357DE9FCA07,SHA256=8AC27B7FF541CA86FF046557FAEE59772CC997775101B78D5F2232E6D0E9506D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:50.571{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF96455186C97C51E5A1336F900BB66B,SHA256=1747CE4E93D072F51DA165944E2490B5752E1F0B9B73F0403A7571252B825D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:50.430{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9137813A20D298FE2CB6F2AD07D66629,SHA256=65E6E3A6E95FF68996A1C7F47BEBC02CE74F12638D7929A8AB6CECA277968661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612767Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.522{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-D500-60B8-E756-00000000C501}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612766Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.522{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612765Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.522{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612764Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.522{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612763Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.522{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612762Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.522{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-D500-60B8-E756-00000000C501}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612761Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.522{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-D500-60B8-E756-00000000C501}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612760Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.523{97C2ED32-F3CA-60B8-375B-00000000C501}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612759Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.381{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7025E872CF2DCD0CB7F0BF379B1D3600,SHA256=CF4B99BE773FC275CE2B81DDBEE24507F57E184526DBAEBA1D53E3FE9347C845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612758Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221E9C6CB3504EEA0A1743ADEBD7634D,SHA256=E78CE7BDBB3DB96190B856D6CABA3E09DB9BE5FE88D5ACE658397271C94A34E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:45.606{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58260-false10.0.1.12-8000- 10341000x8000000000000000612757Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.022{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F3CA-60B8-365B-00000000C501}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612756Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.022{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612755Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.022{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612754Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.022{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612753Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.022{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612752Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.022{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F3CA-60B8-365B-00000000C501}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612751Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.022{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F3CA-60B8-365B-00000000C501}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612750Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:50.022{97C2ED32-F3CA-60B8-365B-00000000C501}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000668948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:51.602{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=434365FF52E1F6B1610E94FB04D4F428,SHA256=9CE17A42BA8DA7B246CBE77D55A5B04836E367DCFC33D6CCAA1544B5EF268FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:51.446{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C5BD27F55E4F72A05B6A302DD3FFF4,SHA256=15A6A440508E8308FB3477239BA58333F75C8DF2FA887F859002651C8C5898A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612786Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.772{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F3CB-60B8-395B-00000000C501}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612785Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.772{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612784Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.772{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612783Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.772{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612782Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.772{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612781Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.772{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F3CB-60B8-395B-00000000C501}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612780Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.772{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F3CB-60B8-395B-00000000C501}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612779Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.773{97C2ED32-F3CB-60B8-395B-00000000C501}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612778Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.537{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC9518CFFBEECBD1C409E28A555F3A6,SHA256=FB777C5609ECD6492C9F806553C2AA5D10D51DD545427C9B76ABCA87DF01EFF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612777Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.272{97C2ED32-F3CB-60B8-385B-00000000C501}5940596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612776Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.147{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F3CB-60B8-385B-00000000C501}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612775Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.147{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612774Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.147{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612773Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.147{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612772Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.147{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612771Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.147{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F3CB-60B8-385B-00000000C501}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612770Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.147{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F3CB-60B8-385B-00000000C501}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612769Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.148{97C2ED32-F3CB-60B8-385B-00000000C501}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612768Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:51.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3ACF7077BB38DDCD4EC591B08A9843D,SHA256=C659852E393A12D9ACB99B23E138319C205550F2A0E5CB04A0ABFCDA2D0CD542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:52.852{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E531585478951B4DD1D73C4BE5DBE81,SHA256=96B0A71EE59C6CBE082CFFFFAB77CB8D427E32C4BD008AD0BD2E9BFF0D1056FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:52.477{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D5CF8403ECB9FA4C71D1C9F79D596E,SHA256=95F68B038913BD3AEDB4B2A614664AE7103F70323B9A291136B50F4922E09F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612797Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.787{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77A6A2DE957977273A1416D3D66702BF,SHA256=00A17037C9C1CC4476463D976824D17708BB3B8DA53BFFEA891472ACFA7CC036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612796Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.569{97C2ED32-F3CC-60B8-3A5B-00000000C501}24684768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612795Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.444{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F3CC-60B8-3A5B-00000000C501}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612794Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.444{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612793Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.444{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612792Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.444{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612791Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.444{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612790Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.444{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F3CC-60B8-3A5B-00000000C501}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612789Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.444{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F3CC-60B8-3A5B-00000000C501}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612788Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.444{97C2ED32-F3CC-60B8-3A5B-00000000C501}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612787Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA7B226F958B6FB64D298AA30B54321,SHA256=F02D6F37D57D6284F117D417A0CFC97B13FCA2B668609181B0FB343B221B4761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:53.602{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E704C716FE7AE5AE6B39103914F01AA,SHA256=761C7A6C33E52F24487A18BAFE5B218A5A7E94F5098AA97C4BAC4995647EA382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612798Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:53.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484AA64A017AF55495DB6273655ADF60,SHA256=D54A89E4E70DFA8C2774A28EBCF53E4E28872DF2579A6362EFE5BE18283BEA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:54.602{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230A5553D367146744A442F1B0D17C23,SHA256=F19E20BC24E502FCF6DCB14109AAA146CDA42694260942C8EFB213CE777F5588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612799Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:54.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4172AE72E51C1BE7DCC2739D4E4499,SHA256=BF0BCC3E08FE54B6ECBDA908865B3C60ADAA8CA06309404A239E56B10CD02DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:53.993{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=776B7B7D305D103AE3DCEE68A47701BE,SHA256=6B7FDFA6879E756F40FABC26E2DA71F33D04E965B6D70AAD82266148E58B05AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:55.618{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6070F354A0A188D353A10BCE32EE70B4,SHA256=F11AC1F6B9DF28A89567130922031FB15C99688A4EF5CCC291442CB2FA3EEC2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612802Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:52.991{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50890-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612801Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:55.147{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70A06793C01B94F1CFA071D4A4BD8122,SHA256=890D8784FB416CD81960E33D20690C84CC4FE5A569095964D1DCB0749F6A678F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612800Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:55.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D1FCB5C49A19465F3B2B86370F176B,SHA256=303B7A155FBA79E018232DFD5991DF687B3084F447A7FB910EF97F5C64D73446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:55.337{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A859EE1CD972D2116E5BE75D00EC69F,SHA256=51C2DE8D5BDFF53C989561FAF21E5707102DBB26830E0B65E3EDEEA1242E9FCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:50.684{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58261-false10.0.1.12-8000- 23542300x8000000000000000668958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:56.618{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74071D85E39378A6D3F79C564F95E49A,SHA256=047BC6CA703B49A084AA2EAD068E63D04EB8A16CE17B1817941E7C72604E5579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612803Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:56.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22257AF911C855D4190745EEFD07E7E,SHA256=45D95878B040D02680F63C694438DB44CF199675364EBE93D704E7BFB4AEC014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:56.384{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7936D160C677F74BEEE5872622711F83,SHA256=E586C0EF8E0C219B6B1787DD239FBC26FC3073BC842CDE46B6227BA65447DA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:57.899{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E3F909D37C7EEB3C82DC6ABAFFC410A,SHA256=A00B627ABA2F71A1AC7BD2B67D96DE2F7C025D7D99EBB8C81E3A3D1B0A25DA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:57.634{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2866BD3A254FC5214A9E592DBCE39183,SHA256=966973C79002B6699BE25B0B4ABACD64562969C5F974739EAD62A57E0749A1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612804Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:57.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7456E3F2C64B5199C4DFC5B037937ADE,SHA256=7345314BE1F2B2198B432FDCC7C2CCC37F64582DDA4B0439E958EB0912AADBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:58.634{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C14DBE3402AFD0FCA437D9C3CB6F61,SHA256=60E20864BECC7FE9275B33B4EF869FFBFBB7A60E9EEB2CCEEE6865CF10DFED1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612805Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:58.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD6396FBF79FEA3DB370DD6CEADA550,SHA256=BB86BE199749602260DF58CCF6671946259BFE598D011C8C02823F1D8FE53C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:59.638{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E415479C139FC3B47315880CCFACB1,SHA256=7602F684B7D0DA8282B1670F2F08C611FC130DF81DA38E6FAEB6B0294CCEFE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612807Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:59.303{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612806Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:59.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33C62E403F65874BFFB376C0706AA21,SHA256=DADE9BBA63AAF116F9829511EDAEBF84857DE6C623DCD9E785B68F8B11D9D0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:59.040{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755F4517F58A91301222A380E670CC6F,SHA256=1D6C5DF65322C5F05A372CA40C2DECB59CE2752641E53879E15759995DF47AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:00.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8DBDE3FCF2B40A4AC668A25F55AB6A,SHA256=5FC06D03468BE3CBECDE33BCD30818CF4AA3B75D4C3971D5F4811692D24992A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612811Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:58.132{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50891-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000612810Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:00.292{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC9F11AA0A8E4A0B7DA6D9FA5B04ED08,SHA256=BFECC6845FDCFD5393E37063326BB9E13E99BC7A9EA5F529CC9A89482AA8239D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612809Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:00.292{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFC4DF33BD7D8B9536A74331263B8B30,SHA256=009E4736253866AE79DC060D39593837472C2F4D768DB609A546AD35E3793C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612808Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:00.073{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DCE05D60DAEE6C871CF1BF9F17B33F,SHA256=3D53B2C0FB785E534DB7A73A4C8828576E88DDD7A63848875AE7F37752EDBAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:00.200{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94B3ACA9DEF3B9DD9E2C25CA44552C4F,SHA256=5637A4772176ACF425F5B5C7F54F2898798960602E7D130C5FAFC511560B511F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:01.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4446A976642A057FF5C401E38D2F742,SHA256=7BBEFFA6ECA7C9507D591B1ABD49FB8E428DB58D45DB6D97336B9DC4B8878920,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612813Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:22:58.887{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50892-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612812Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:01.073{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBF0A86FC5B3A035465DE0BA265523B,SHA256=AA7F08F0BF119ACA63DB61AE5A5438E0B085384652B746A6721B2DA2D2D99F15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:56.637{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58262-false10.0.1.12-8000- 23542300x8000000000000000668966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:01.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7CAAE31934CB006147E0DEC4571EACE,SHA256=2ACDFFD0B37E50638E3EB29C4266A5E4BEC4365421E50B92582A2D8A81DB1280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:02.919{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A36658696D34A47728A5241B801F1BDC,SHA256=CB5D0F9C93A61F70CE8AB376FCE5C7938E1A3193A56859C23A6BC4CF735ADCBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:02.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6C921DDA62E79E0B679F17FF4DDB96,SHA256=8101DAA27DDAC366BFA14E162952B36F7712F616C03EAE4AB81E062E75ED492A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612815Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:02.431{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=20B21481626DA9B3888C8CC155E47809,SHA256=67D54C8D324FD3104A2BA8640DB0055E2D7903CFE1E280EEC71F91F95D75CCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612814Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:02.075{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1243B4255AFC2961A0CD12DE3F87C80E,SHA256=4EA3B05C1E2AAA2E81042109CE66A38C9EDB9744F78110775D8F40AEEE893780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:02.247{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:03.919{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C472A1F02C2611B00DA682797CDDD588,SHA256=E684EB801508D7025B6CCC68F20DF39114CAD5661045806D8C7FFFB7089186D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612816Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:03.087{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E02FC85F7D9008ACF9D3C25A8ED3F3E,SHA256=338D8574AD910D2D4C3651DE18F8299D99491855B57120F320B88F1F26A226EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612817Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:04.090{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8747C9F7E3474E35A9C7827E76998F85,SHA256=A2E10B8F71831A60B7D17A373C25E3EA36427ECAA95A0FE4EF163C89CEBB1C95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:22:59.688{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58263-false10.0.1.12-8089- 23542300x8000000000000000668973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:04.060{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AAA29BB4CA0495F2A1A54D0A51335CF,SHA256=93F2ABA24B68BEE7C1CDBF822A9B96CB8225CE3143BA428584DC2D0ED29CC745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612818Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:05.106{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7014EAF10A98EF5B749EB16B973FDD8,SHA256=E6CC179D23C5EA85A78CCE9CC6879E33E80985E6BD2BAFAFE0A2A2A01FD7A1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:05.186{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E437FC1F23E9E9A33BEE0336BBDD0ECD,SHA256=47D6FEE7405B2AE369B8C623BC5258215BF817B82E926DAB204C3FAF9B2D0D68,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000668977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localDLL2021-06-03 15:23:05.186{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\7z.dll2021-06-03 15:23:05.186 11241100x8000000000000000668976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 15:23:05.170{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\not7z.exe2021-06-03 15:23:05.170 23542300x8000000000000000668975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:05.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1780F79774B5BB139FA2582F6E8F63,SHA256=7D708B5F002BC90744CE781C6D7A334FC75EAFDE9FC832B20FEC7CBD4CA9519C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:02.564{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58265-false10.0.1.12-8000- 354300x8000000000000000668983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:02.486{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58264-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000668982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:02.486{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58264-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000668981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:06.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A541A4065EFB726CE3E605F84881F9A,SHA256=A43A57593907E15E691974E19FD87545475B1F6959887C532CF3FF435E365AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:06.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7FD7AA93791D9F9BD7785132090AE1E7,SHA256=ED213D8FFD13C54435F8BF2183AAC63A272D300C6052BDCD1BB876EC559E4CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:06.059{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B6DFD1BB255653AE51DF61DEE0CBFE,SHA256=3786A5D4F76837C08AB3670D9AB8BC830E7904023B323A015A12FE6313B6DF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612821Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:06.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=570D0237EC20940D7A15DB3F8D410E21,SHA256=5FDB0E2E1C13C1F80DCD09D50F138E9499552C4B28CD5AF52A9A7DE3ADBECBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612820Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:06.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC9F11AA0A8E4A0B7DA6D9FA5B04ED08,SHA256=BFECC6845FDCFD5393E37063326BB9E13E99BC7A9EA5F529CC9A89482AA8239D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612819Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:06.106{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834C43E2C8108C53BECF867C55670CD0,SHA256=673738F61BDCD05C40E074E63D2F80C63132D5892F002609A35E12343D2D1552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612822Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:07.106{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73243A5F28FB3836C4848A4D607C2BD,SHA256=EEF764EB2132AB95CA0EEE60032606D4808A9C97A453385E6D60B906046F1BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:07.469{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39C7F1240B339C15A5F5F298341F29BB,SHA256=AB9941B568569F51F45D1E6DCF6D81A7344ABC92B25900BB08E847A7AE00AB0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:07.094{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24A605C23DFE7DF5B25CCD2CC5686B0,SHA256=4DA1B8DD974B4780944DBB80941D475CECDC6DFD2C3ED857AFCC60AD8D060D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612824Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:08.121{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA641636D8DD0B83D78C909355A6AC8D,SHA256=A52AF93C82656FA3C112BE13CABAFFA6A847C07DEDD53C9645232B5D50034203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:08.797{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CEB6B60C879702C7DC8412443065555,SHA256=D14C408675760D85525923E90AD1CDB03D811ABC1454E919D9F13515149E8470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:08.407{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=57BDFA68C14B3720FB993EFC73225A34,SHA256=173F588F82F1ABD6D9CC7F1972B81E65B84C5891FAC3C2CFB6E97D96719F7894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:08.141{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B032C33472ECF95360138754CC3E3F23,SHA256=0C90021CA880E94FE1DAA14224CC0CBC8F52887D048615553C9E0E0ADD37010F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612823Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:04.044{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50893-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000668990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:09.204{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85398C194F0D211289AC098AEF0A02BE,SHA256=A0A3709CE86187B28C5FBC929E0889C7C2529F87F5204961B0C5F7159EB8CB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612825Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:09.137{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149695246D6CDFDF1DB6F17382CD5F38,SHA256=9703227C7A699E9F30C1A3D6640A8F33AA9D714C0E75BAE1DBDFA4E9FEDCF852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:10.219{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D9F8CE0B8C535C9D9CFC2E5F9C9ED8,SHA256=6ECF318EABCB880EF517F65917DC779C048E0613BD035A70C42A820B0B136B8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612853Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612852Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612851Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612850Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612849Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612848Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612847Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612846Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612845Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612844Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612843Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612842Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612841Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612840Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612839Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612838Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612837Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612836Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612835Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612834Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612833Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612832Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612831Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612830Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612829Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612828Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612827Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.199{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612826Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.137{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4EE9E880AFF491CDFC676922EC01FB,SHA256=ED6DB4669EB47BAA54916E49EA92F49EB64090DDB8E3B4324D15AE572D2D6E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:10.047{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=040F7124B4BC2F9CDD49E23B3A1DC991,SHA256=3BC16AB07EC90C7B0CEBD95D95030E2431C233DAA28DFAA1EF6D9CBB095F6BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:11.235{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF7BE2F109DE724B560B55ABCABF6A3,SHA256=6E25997A37DCBE67471409BB2FFBD065CD2C28536F17106E982A590639D999B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612854Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:11.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C0D9E7DAA5F67DFC583BD63541E4D6,SHA256=5F316C8A60165F3A1E3FB8BC2119476A4A8FE7F04A3956E42419EE8D669C8E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:11.079{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E8A9944E87DAA01CFBD3C626829DC7,SHA256=BE38AC2BA983D2D23A505555AD7D9EFDBA2E639F3A7E707C2AE7C822D496D6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:12.454{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4C8FDAC107E67E0DC45AE0453E20C97,SHA256=9F0B404A0317E8F090AE169D90404742AEFE60180FA6B35794BB9972A4D3FCEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:12.266{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83922B5DDBA59E5832B47D0ABB7A1A69,SHA256=4BD9276EB14B150F62E527E016DE775D1CD2A091B815575B7DAC846165475564,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612858Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:10.013{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50894-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612857Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:12.512{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EB9B8365236FBE413AA0C2DE1F4AC0,SHA256=637C209766B7DD719DAAA2C9E0213FDF4CFB504BAC2C047E12F675E77CF32FCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000668995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:07.675{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58266-false10.0.1.12-8000- 23542300x8000000000000000612856Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:12.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BC1750D9864E23DAA38E20E78CFB51C,SHA256=2B944B0287F85F3124266B062F22108B55EE43C0C5A52A56F8866431166D4F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612855Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:12.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=570D0237EC20940D7A15DB3F8D410E21,SHA256=5FDB0E2E1C13C1F80DCD09D50F138E9499552C4B28CD5AF52A9A7DE3ADBECBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:13.768{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\7z.dllMD5=72491C7B87A7C2DD350B727444F13BB4,SHA256=34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891,IMPHASH=09C182B10B88CD78AA1B9A1FDB0142E4truetrue 23542300x8000000000000000668999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:13.594{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C766F615377C70445A470B0A574F431,SHA256=E25D77D72CA4B0A8750DC1F9158731E8FC5A7A890D90666C4794E560ED523635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000668998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:13.282{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE20B7C13BDE19465DF03B893DF7E950,SHA256=58AEBCB197965933AFDEF8DD08FB6B82830D69841950399582513D7CA65FEDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612859Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:13.512{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F569C88852A7597E106B2517D3F28B65,SHA256=C33218E2227DAF5123BA45C3EB206A6B7ADE59B4C3160601E4A7327EDDBB1B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612860Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:14.527{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BA774C06DE5DB5B32E64557A8F0166,SHA256=DB9F7D3DC60275CC60E184438A768BEDBE5070A281EDFAD43CF78B2871B229FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.938{D419E45B-F3E2-60B8-0051-00000000C401}62164996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.813{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD0788BB5E00A271D496F97398BE3F6C,SHA256=02B9A195158F168A9BF6D64806FB71B1B95EF7E78B9C3035C5B6DAFFC7611B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.813{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3814424AB331D63BF13EDBFE65FED495,SHA256=AD4991A4FFC1FBFC1A74F93E6020537E3E1B629FB12E08ADCF2672A4AB284C51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.751{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3E2-60B8-0051-00000000C401}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.735{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.735{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.735{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F3E2-60B8-0051-00000000C401}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.735{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.735{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.735{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3E2-60B8-0051-00000000C401}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.736{D419E45B-F3E2-60B8-0051-00000000C401}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.297{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9136B39C1D67F03C73C8706FEA1DE944,SHA256=F1B34A1D8BA9D8B5835ACE8074AF4326A7687E15ACA448A1907D776344ACF1DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.063{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3E2-60B8-FF50-00000000C401}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.063{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.063{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.063{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.063{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.063{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F3E2-60B8-FF50-00000000C401}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.063{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3E2-60B8-FF50-00000000C401}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:14.048{D419E45B-F3E2-60B8-FF50-00000000C401}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612861Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:15.543{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060B1D15F66FE0876F5A0C917027A614,SHA256=B5EAFF794DABE752983FFE57B296AC2E3A2FC65E196D00E3FC21B7FF7B270826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.922{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D5FF1E78C72C5A9DFFB0BF6D4B433B8,SHA256=4D50FD5BB98E2D65DE009278D5FB51BA5C39F86D5047C302239C4E2962B745F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.907{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3E3-60B8-0251-00000000C401}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.907{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.907{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.907{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.907{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.907{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F3E3-60B8-0251-00000000C401}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.907{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3E3-60B8-0251-00000000C401}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.908{D419E45B-F3E3-60B8-0251-00000000C401}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000669030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.629{D419E45B-F3E3-60B8-0151-00000000C401}44121448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.407{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3E3-60B8-0151-00000000C401}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.407{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.407{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.407{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.407{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.407{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F3E3-60B8-0151-00000000C401}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.407{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3E3-60B8-0151-00000000C401}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.408{D419E45B-F3E3-60B8-0151-00000000C401}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:15.329{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3EADA1E743213C728FF5A55A5D1CD9,SHA256=BF9076553077908C16D876547C68C93344E545F6CD5C09EF3EB2F5B0B6F38919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612862Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:16.543{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A18793090E3FD2E434F3DD4DB87FFA,SHA256=FCF931F41408CF7D36D836F8F16F197FB4D7FE38E8654DCB75E6B0842A15ACDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.735{D419E45B-F3E4-60B8-0351-00000000C401}23244164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.548{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3E4-60B8-0351-00000000C401}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.548{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.548{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.548{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.548{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.548{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F3E4-60B8-0351-00000000C401}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.548{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3E4-60B8-0351-00000000C401}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.549{D419E45B-F3E4-60B8-0351-00000000C401}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000669051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000669050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09bf017f) 13241300x8000000000000000669049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75883-0xfe2c0cb6) 13241300x8000000000000000669048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588c-0x5ff074b6) 13241300x8000000000000000669047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75894-0xc1b4dcb6) 13241300x8000000000000000669046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000669045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09bf017f) 13241300x8000000000000000669044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75883-0xfe2c0cb6) 13241300x8000000000000000669043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588c-0x5ff074b6) 13241300x8000000000000000669042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:23:16.532{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75894-0xc1b4dcb6) 23542300x8000000000000000669041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.329{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFD43FB34A082EDA0BD28DECFE38A6D,SHA256=427FC8B079049991BC20021DED8E0F22C49BDA3FC13D9D56FBF9C68C3EB633CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:16.063{D419E45B-F3E3-60B8-0251-00000000C401}61846744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612865Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:17.559{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433DFDF60AE96305A1371E2D9B320C56,SHA256=94D10126EE71DD5AB8744E29D1C0BB1CE3BA25E1B7C5C47435CEB14E3A1AD93A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.876{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3E5-60B8-0551-00000000C401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.860{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F3E5-60B8-0551-00000000C401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.860{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3E5-60B8-0551-00000000C401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.861{D419E45B-F3E5-60B8-0551-00000000C401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.532{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE5C2CD6EC6623C200C6A7E02276994,SHA256=B930DB3361C03A8386521D32691752F9D48AFF3D465B15809C31DC66F03085E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612864Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:17.246{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B14B3B208D56044E3D8399F618E641DC,SHA256=D293BD23E1ED141CDB7BDB36911146784FDD09EBDC3F4C9550F765AF3E165D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612863Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:17.246{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BC1750D9864E23DAA38E20E78CFB51C,SHA256=2B944B0287F85F3124266B062F22108B55EE43C0C5A52A56F8866431166D4F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:12.691{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58267-false10.0.1.12-8000- 10341000x8000000000000000669069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.188{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F3E5-60B8-0451-00000000C401}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.188{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.188{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.172{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.172{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.172{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F3E5-60B8-0451-00000000C401}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.172{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F3E5-60B8-0451-00000000C401}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.177{D419E45B-F3E5-60B8-0451-00000000C401}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:17.172{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE21FD444CFEEE263781A5405E6E5E5,SHA256=8508673A2A5A5CE48B790E9BF891F55A285DBA4BDFDB3B4FA70FE1339CD3203B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612867Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:18.590{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E00FF8FBA426C728F583D688257B76,SHA256=9AFDB2E7913B5B8D3323FA06B527434C354B21B810497CC2435FBD6266B721C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:18.672{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0419FAAFB19C2BFF8D4A097B1EB9FC6,SHA256=3DA227DD87CFB252FE6E3B21F2693E004F9C75CF6FF6B5A3EAC8A15905FB949C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:18.672{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8CE9030FC00DD93573E437608104B6,SHA256=020517356028DFFC6E1E936E65718273FFE96885309F650F9B27216795B150F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612866Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:15.075{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50895-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612868Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:19.601{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7793C8D09977510FE72EE2CAD0B2E5,SHA256=5A82703851AB4A81A074234F5DF858D3B167C87A9F5C5B8CC1C128B81343A157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:19.822{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700D52161152051C84CB021AC05D86A1,SHA256=3D4FE11E95C92F4E7002024EB72760D68059399B9845B5B0716B45448A60D7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:19.806{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32833B013B383176D409299F1B19A1C4,SHA256=F4C27F5375D74DF23E976B04A1E5946117D0AA8E1B5E0B6989D5F36AF3650C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:19.032{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\not7z.exeMD5=619F7135621B50FD1900FF24AADE1524,SHA256=344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2,IMPHASH=41C55772E303B8488EA464A0538E35D5truetrue 23542300x8000000000000000669087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:20.884{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7100BE8A25E2880314F17311B57C5D,SHA256=5BFFA63F6F55AD7DE91BF1D49B2A679462E1178ADECAAA02D0AF5572808B5C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612869Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:20.663{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B7FCE25B05B175BEAF3B869589C1BE,SHA256=ED5DA1C4E754C3847457AF3CE9545DCCDA246022C358188797BB916D114489BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:20.822{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A4D2EEE9915D044F924B13597FAC47,SHA256=F9C1309D1D97D8B84C51E8D148834E7537ADB1E47F1ED0C53516993F8B3887E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:20.134{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E668C70AFBFF81F9458F55FC4CC5E17A,SHA256=BC555B19222B8EA8056DC4249F212736BF6E9116730378E8384E70B07D5824A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:21.916{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737FAEC5BF8DBBEB530DC1A8808E7C07,SHA256=96780D80A1A6E72B6705BC73304D0B8FFE5F0FC52735DDF9BF257FF429ECC1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612870Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:21.663{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35E6B5E1AC76E8FD27284F796E3FDF4,SHA256=9BF2748DE635589B945F900FA865508251C58182FB27D817152B7E3E023BF655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:21.900{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C53C6C5C438BFA2308D68F92257668E6,SHA256=4E2B2D1C2A8785248A5283030E653AFD17FD8FCC4D61633C63D79F319B240018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:21.431{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9506AEEFF016DF50C0CBBA281D5EA839,SHA256=A9BE89A23C82554118AEFD38748986A4754C15BAD7D8E653726163252C9A737E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612871Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:22.663{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B040C0182642C21CBB11159FD047AEBE,SHA256=1AB569E67E11039FFD3427C65E1D1A1A403CFF0B58D8CE427BA44392BDFFF907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612874Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:23.679{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F3FF8886E368C627DE6E5148D7B794,SHA256=0689120EA17F3EBD075C82053F668917AED97C2C6573FB2F507EE7AF5C3CD7C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:18.622{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58268-false10.0.1.12-8000- 23542300x8000000000000000669092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:23.057{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7E576B810ADDDE654DDA967EBCBBEC2,SHA256=33597EFFF7137A038CEB33B2A92A3A606CB5264EE518AB7859B6D76DE1EC1C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:23.057{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A73664694FDB39680DF6BDCBAE4C987,SHA256=BB5D765DF93632221DFA2BD3D71D31E0F70976A786B2B052A2EE97E7DA0C3976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612873Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:23.210{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19629745DA4FC64FC2E04EA47E9FF508,SHA256=415913CAA314FBAE891C09E4292A653AC6CA312264BC258A14C9089999AC9A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612872Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:23.210{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B14B3B208D56044E3D8399F618E641DC,SHA256=D293BD23E1ED141CDB7BDB36911146784FDD09EBDC3F4C9550F765AF3E165D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612876Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:24.679{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131FBA167A4FF85D86E3EAC4B97AC95B,SHA256=B22767E0C915E6E6792E247814F7CD70839C45B6C7F8783BC7599E52CECCD6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:24.197{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F80A082E62AB45AE63387A22E53640,SHA256=EE6C76D9E3BA261EB377DBE740A83755597D4F5A3C1CC90820D2A44DF15B0125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:24.072{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11799DC4368AE111B2D93898235443DD,SHA256=3328F6FE96D5DE40B2BCDE2061E6A450BA3C819810C3C30DE03058E9E0897850,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612875Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:21.055{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50896-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612877Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:25.679{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBF98D97F56CE0BC34C1756619B0A7A,SHA256=B1007B8701B9B6E5FEA3540DDB491E4D0C2A4EA2F08A530A2831E508F05D885D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:25.338{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=374AA5520459EAC74CE69EE435BA6C67,SHA256=D6340D2FA6544E5CEB12E72AEC396A441FDD48C7688C07C5B760228568E36AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:25.103{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ED64EB777BAA38291197D181E0D701,SHA256=8EED8A0A08DD7272EF5B413C7AD56217261C471BD13673102BFE5B7E32CEEAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612878Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:26.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCB5796BA5B8C618414A5B975DCC3C1,SHA256=7C04EC64E267261409C273A2996D6246E752C8D418D6AA487573AB617F3E96A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:26.416{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=994637557D53AE69525D6C6097E5FA3E,SHA256=3D5DBDEEC226CBD74F12396C12DE2CFC637CBAC91AE6DF4E52CEF841381DA40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:26.119{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F139974FF647E2B86A0247FAAFFBE1,SHA256=45FEC6991C5ECFCF202E6442E08D963A7488B29235C3323B11CA8E8A005265FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612879Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:27.710{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2445FE8585C0FD72B29BA092F0B6E723,SHA256=A8D7935217ADDEAFB1C28B8991D2CCC3594B504F48EC0BB6EC25D8026C4C0A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:27.509{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53A09CBC4E2326CF8A850BFD07FB1D95,SHA256=AEEB6F4801D4AE5D3714924804E18621CD475374E2769C9035791C93DD7F43D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:27.181{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954604B6156FBE50E5BD7F70C842D0D8,SHA256=642F041A67BA2EA7A77D2078F062D95C3D91CAB7830C19E78253601B6BBEBE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612880Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:28.726{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2095E2C032B2F7C48C43DA41781AE409,SHA256=205BEA804E77928E29BE865A5784A430884ED2075B31CFCA53FF6EE09F207666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:28.839{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1421DD5616D9BF8A7DF1A8788A82FE37,SHA256=C4DAC237110B1EB3E06F6AA3BD1C985D81CB6572A067FAAA432F7146878DCBC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:24.622{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58269-false10.0.1.12-8000- 23542300x8000000000000000669102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:28.213{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF72B344EA97E653220FB1323D42E49,SHA256=DD8A248D98297118F083A928B50BE341E8DCE80B29CDF9ED9221C2B03BE08882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612904Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.757{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE88DFE415988E7B0DF8AC3D46658AF,SHA256=ECF1A4C77D148E8B276E6BC519684A90C6EC596A3D06498D5D4B093569F5F90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:29.214{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFB031DAE458FDB3CEA5C963C3AA076,SHA256=AFAEE99757E8334198E802179F5B2D8E1C8341EF7990F723D7F0BF6C5A131F9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612903Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:27.024{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50897-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612902Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCF5AD6EE6C920DFB22E83E16FF8D83,SHA256=10ECD1E631AD1F8B4E6D4C7B77B115B7104052C2253D7BDFC860209A30CD6E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612901Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19629745DA4FC64FC2E04EA47E9FF508,SHA256=415913CAA314FBAE891C09E4292A653AC6CA312264BC258A14C9089999AC9A77,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000612900Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.163{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000612899Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.148{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612898Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.148{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612897Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.148{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612896Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.132{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612895Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.132{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612894Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.132{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612893Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.132{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612892Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.132{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-F3F1-60B8-3C5B-00000000C501}2464C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612891Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.132{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F3F1-60B8-3C5B-00000000C501}2464C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612890Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.132{97C2ED32-F3F1-60B8-3C5B-00000000C501}24645208C:\Windows\system32\conhost.exe{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612889Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.116{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-F3F1-60B8-3C5B-00000000C501}2464C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612888Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.116{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612887Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.116{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612886Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.116{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612885Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.116{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612884Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.116{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612883Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.116{97C2ED32-9D3E-60B6-7A08-00000000C501}33645384C:\Windows\system32\ServerManager.exe{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000612882Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.112{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000612881Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:29.070{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=C4BF791AA5256E70FC90C9CA26C409D6,SHA256=D67A42B4A7123C7BD713EED0F9E0B46B48E164CD69DDB3DF2BE0D217F077C74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612919Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.757{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFD96EE9707814E9C4D0C9895DAC2B1,SHA256=0C1B16132CA7EDB0241A043B3A43881FD07256A2533B66537572F45EBBCEE6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:30.229{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08748FAD57BA22CB6923F5A1858C6968,SHA256=2AD7F6466D59B213CB181922D934B855028B5500E90DB645926EFEBB3010BBFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612918Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:28.010{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50898-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000612917Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:28.010{97C2ED32-F3F1-60B8-3B5B-00000000C501}5704<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50898-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000612916Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCF5AD6EE6C920DFB22E83E16FF8D83,SHA256=10ECD1E631AD1F8B4E6D4C7B77B115B7104052C2253D7BDFC860209A30CD6E77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612915Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612914Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612913Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612912Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612911Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612910Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612909Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612908Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612907Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.163{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612906Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.132{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C418EDAED86E5461760994563DFCD64,SHA256=EE04B89338E06DA113453F5AB4E7D9906A8522A439FBE7EA643D0FED861CDA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612905Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:30.132{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AE4920B39CB370BCDF3DEB1C8A866475,SHA256=9FD7B9BA75BD69BF6A053DF8A357195F8BD4F68167D9ABE253B8BB94145EE927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:30.011{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AB4D7AB255C676FDDD52D684605CA4D,SHA256=6CEC773FF44B22689BABC584596D6DE648563ADEFC4CF884DBC29F992C31705D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612920Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:31.788{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612C15B7C525A3A3332DD54693507AB9,SHA256=DFF65AFC8E557A27B235942DF7932CC4A4432A51C2FABBE22A2218B154B5C30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:31.370{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF37C84B90FE645D95ACE76F93FD0878,SHA256=649DAB77D39836993A06D07A6B7C275EDEBCED6BF71902F3D65B8188F1538A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:31.261{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323119623BCF41D750568A56E5B6294E,SHA256=A29FF52F09939FDD01CAA739AE36E9C89B8E4896635467DC48D7321CDC64A4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612921Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:32.804{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D7B324976CFDA4268CA58C3B81D14C,SHA256=9BCCC64712A1FA600DF0DD3400B48159E54420551714B548A4EDFA1AB727D30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:32.448{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29430F20C9EAEA5DB4C1B2B9B6A9BEF3,SHA256=E710CCEC64AD9A723AB4027DB7741D58432DAE9058BED5E4B8E3E58BA7A372AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:32.276{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6A19A4C5DE42521A3D1F37E3D67892,SHA256=07D421C0A53D1A8D7AB9F1A08E5F14D7442F6F30A095CB61E66CBD90E0507CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:32.261{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DC66E7CDABFBD8C732ECE43AD8706EE2,SHA256=19A33EAA19495D6341453B4E4EDE7CDA5F30BE082DC72F1FE5BE5FCE31D4A7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612922Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:33.820{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1159ABD0D7281A7A8C18B1EE7570F609,SHA256=0CECAF3201A0D582DA281B87B4386936592BA171B2EB51678263D393E6F0FF18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:33.714{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C533763D6173808C9BF3FCBC2E940213,SHA256=3F8DBCD1434234832E7DDCC36A12838881DADA45D1C2CD1AE0798AC3CEEF8F26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:29.638{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58270-false10.0.1.12-8000- 23542300x8000000000000000669113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:33.292{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418BCB168A4C4C04934746535C7A8DE2,SHA256=BF8FD3DD5336DB11A3050B6FFBDA1772656CB89C710848C42F4143FBC74A15BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612923Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:34.820{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD286935809C4BABDD4797B58540A23F,SHA256=C6D2DE50711DE72D728D7E26B7E65A359C0B17050A431A02268DBC75FAC1C4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:34.823{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BA4BFDFB2E4F6DD1AE7D1EEE576CD91,SHA256=86D436DC79E01330A444B176549759C91F6D6CE35087D7C1D81FC85D64D84AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:34.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB48706A0D27CE5E982C477F63497D1,SHA256=9F0F3267EDE1F63779B6DBF373969465B76F3709FDF38BCF99F3810BCB8B8D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612927Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:35.835{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AABAA016081799DEDE979C7CA5921F,SHA256=1592CE0F2FEFB1BF6A0238026197CCC2718DA4FBE80078C20148298D7840F329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:35.323{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CDF15FEDD6A2A7BB5E2A0EAEDD3CF2,SHA256=431C90DB4FAF9651A927CF0663E707AE47B51EEAB6FA294C5BD6C59D1EB68604,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612926Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:32.868{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50899-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612925Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:35.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C5AB88B9C069CC27928A7228BFB54A,SHA256=4271AAE073AE4B61BEEC10F9A5D7D6EB5331A36A582F35F4CAE4784FA18CAF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612924Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:35.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B83C316E722E73313DFBC0AF4B9749E7,SHA256=6AF7A70E7C3FE441D8682275E57D79A27781FEFB6C06AF5F6057423D156D8F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612928Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:36.851{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A798DB021417EE9348509B23CE85B5,SHA256=FCE04A707B781A3AEC0A0ED461F60AD4B68239D35D23FE83B1A27497CA8B6DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:36.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7595DA4985E030B5D9EAC78B9E7765E,SHA256=DD6B1B0E388FBCEFD2830572F15DE8036A4021A2CA921CD2AF8A4F99424F25F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:36.073{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C468D599D926B4E4645A3FD5C99964E,SHA256=EB8C12B7BE4A13DB24AA6DA803C125D02B9E31B7A69BF1E0896904123CCC2C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612929Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:37.882{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC4BCEFE0800B56BFFE4839B463EC2F,SHA256=274E40480FFED61599798822AF637C4E72A59C342190C677BED26FA458481835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:37.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2600C5AB0DE178770DF4F75F1D84C964,SHA256=1538BF5E9836268C177818FC2C6A6DE37BBD5F4B097D6B1DBE721263C0FB3055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:37.354{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59477ED7B93203977E00930414678AEB,SHA256=0ADF966FDE8D75DD89487698100397F802482022F6B1F7F17729ADE5419B4EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612930Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:38.882{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC3611F51D30501B6D9D4AA1EB37142,SHA256=C9A28FACF07614A6F12B0367AFF5579B64154A10293D09E8F6FF78D16011DC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:38.901{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C34C52F439B51C20772931E6AFA70689,SHA256=274A92317497D9FFFB2F2BD72EEC07CD94E656577C93B6C1F91EA973A0726507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:38.370{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B32F15CEA1EC9918233F8DA766606A,SHA256=B3F8754A90ED2114985F8EB5CF8548CE90444D4E8FF22F0F37B1F1550190BC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612931Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:39.897{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429DAD2CAA01120B2317B32CE933917D,SHA256=B6FF113EAF22F6C4931145853A24DD2F748D71D820153BDBB02CBF35526D9D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:39.962{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD04756571E522A549F378B2FAC999D6,SHA256=B29786A9DD7DE630C2FA4A224A90E4C563F4A1634B38351FE427CD3D00175DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:35.607{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58271-false10.0.1.12-8000- 23542300x8000000000000000669125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:39.401{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72752ABEDBC1D14CA83EB6F90FCE7968,SHA256=6F99C0D7C8D2995F8CDD16D5E59E2BF25B5FDB8FE549716A4B9BB6D55B90FDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612935Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:40.943{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4958877CAC39A6C489B2E9EB1E424D,SHA256=0FB4AE3CE22B767814CD3EF345CEA461C44D0C4839407CD3AC3E0A6460D3C842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:40.415{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040E7534FFC1B1E69329789DC34A0662,SHA256=4D5D5DC1E10BD96ACD67D888E75FB22F72E412EFE3AD3BE175CB6841BE2C142E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612934Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:38.071{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50900-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612933Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:40.256{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02D51B298CE25ECC80F088AE0FDE0EE1,SHA256=FC97677992863652214CCE52852E57D132E2CFF0B4326BA33E2D7E032854EF0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612932Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:40.256{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C5AB88B9C069CC27928A7228BFB54A,SHA256=4271AAE073AE4B61BEEC10F9A5D7D6EB5331A36A582F35F4CAE4784FA18CAF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612936Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:41.959{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE2A089AE91ACE8690144020B1EE1F9,SHA256=893374ADD57500908A6A792D2A5EB305A95B99332D44C9E497B6D5816AFF7F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:41.446{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D51B66FC455C86C4DD3881E6420301C,SHA256=D130A21ED63236882D6669EE49D9F76CF2E90C2EB1E5DD9AFC5B68EF7806630B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:41.180{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B918600C7A0962B2AACF67752D91B3,SHA256=6921CD4EBA1E8DC4C086EA5DC8D8B8F91ADF01B6F6F88BA7618A35D88D8D07C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612937Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:42.975{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CDA9F9105E390B8FE03EAA8C6D4227,SHA256=E2DBC6E17363BA3A2217B743B5877B9081C73E9F6CF0B11EFF695516E9B89A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:42.680{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEE982E2B95DDE73367F7A22558B9881,SHA256=E603E93CC44131E2124DBF419A6C0F028A9C02CEA5DAF7BC610D6F60380A8DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:42.462{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5774A275037C6390967AC97FB2F50284,SHA256=3A68CF22015784EE5A708EF81EF6D20796F78CF009142EE4514471CCBDFA6CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612938Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:43.990{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09B08FAEF65FD4FB9653357CAD16543,SHA256=A06B60EB1305F2A91151B9B27B0DF3C1DD515854553D106329EA5161750DD029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:43.852{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB2C7EE83FE0630A85CF828913F78599,SHA256=3E64325762C203C388D0CD6A691AFA60F25F193B722978206B9FBAACACE85183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:43.477{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAE313424322F3213C3A4E953C84C5D,SHA256=B4B31D290CA01FBC8BF96CC26BC21263E5C6BB3807B2769C2CF292053DE27632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612939Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:44.990{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EFB888AB9D0AB919DF1D263B80A2CD,SHA256=F411CAFCF1A978858EAD91A34F6E5D333A99576BDF4DE4DBE481294864A036CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:44.977{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=238899A45F52228899D2B4B33F0C1DC1,SHA256=255CB1E14CA796D30031A3ACE49DEC34399020197B1157C655F289E990B7D6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:44.493{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0129FC2815405DF3FB37D0D58E370C4,SHA256=93207696ACC57AB47BAFDFCCDD653D02D27AC59362F3611F3C83C19C801BE44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612940Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:45.990{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C7FFD47E59C939F2CF764ABF305C41,SHA256=FD0AFBC31B8F9F96BD103A209F53BA96E1435FDFE9E472CC006AC1E69AF8280C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:45.524{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA15CA52CE9B7DAF0BF7672F9B29C5A1,SHA256=1E7D90953CCAB948D17AB2FB70A1563FDA004F5D2E8FD2A37900F7BDB46E6216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:46.712{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:46.712{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:46.712{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:46.540{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637E2A5D5E80FF489E3E92BCDB623CA5,SHA256=C3A261A6CE8FD35BD2B792212A82365CC771901885B37C4C2A219C26B2C752F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000612943Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:44.023{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50901-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000612942Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:46.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2C227709277CD4956DF227FF3765DD1,SHA256=BFC67FC1A1707432110BBE4EA9F2733C5651DE633592672F63AF57BDC7515EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612941Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:46.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02D51B298CE25ECC80F088AE0FDE0EE1,SHA256=FC97677992863652214CCE52852E57D132E2CFF0B4326BA33E2D7E032854EF0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:46.243{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D3F98FBEB6DB26144B1E71BE0B5C350,SHA256=835B13EBD57E2951BCDC28004FFC5609E09DEEC7B060BEFF2B03B8C88530A3AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:41.573{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58272-false10.0.1.12-8000- 23542300x8000000000000000669145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:47.712{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB7980E6A4439ED60FDD3788EFD9D1E1,SHA256=818BDBE4B1BD203411B6C188B32D5ABC6613109D40E7AB80AE781D1D9B7C9238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:47.571{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C0699C7372582CA34116BDF91BE340,SHA256=FD51D64B6A33A8D531559A688B9BC25CA0105C89F6076BDDD1CC9B2DDA1E680F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612944Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:47.006{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19201FF64CAF53FEE95D9EB8CC5F1D56,SHA256=98A76A781AA20AFB8BC3A0F333920CAC13F4DDC5D45B7B6A7BD03D6ACB8013A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:48.852{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A39FC7C353A026B3FE86FF2C49C0F6C,SHA256=4B092DEAEEDAE02CEF5AB870D3A3E484DDC822028AA1CD61CD21DDB955547675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:48.602{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FC0CE3746380F59B8D9ED28788B32F,SHA256=4A963D6A80391823D3E2EA737EDEFA7075B7AE5C1CB3B318F0CF088A72422F0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612957Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.850{97C2ED32-F404-60B8-3D5B-00000000C501}37083152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612956Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.693{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F404-60B8-3D5B-00000000C501}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612955Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.693{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612954Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.693{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612953Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.693{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612952Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.693{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612951Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.693{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F404-60B8-3D5B-00000000C501}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612950Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.693{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F404-60B8-3D5B-00000000C501}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612949Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.694{97C2ED32-F404-60B8-3D5B-00000000C501}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000612948Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.443{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612947Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.443{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612946Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.443{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612945Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:48.068{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC66819E4D8CE9EDAC5E217B654AEAF,SHA256=86AAF72724D7BFB775F015B04A820EBB22CA7E2C0E77B9C268F112E7BDC84F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:49.618{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6A93A94ACBFBCB8EFA2A96E9E6F085,SHA256=0F79A254DCB601DF0C49E1C2B137B5DF968074F61C68EC3841FE0BD9003459FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612968Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.725{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2C227709277CD4956DF227FF3765DD1,SHA256=BFC67FC1A1707432110BBE4EA9F2733C5651DE633592672F63AF57BDC7515EB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612967Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.490{97C2ED32-F405-60B8-3E5B-00000000C501}55442520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612966Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.365{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F405-60B8-3E5B-00000000C501}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612965Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.365{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612964Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.365{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612963Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.365{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612962Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.365{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612961Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.365{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F405-60B8-3E5B-00000000C501}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612960Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.365{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F405-60B8-3E5B-00000000C501}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612959Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.366{97C2ED32-F405-60B8-3E5B-00000000C501}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612958Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.100{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63819DFCA4B4035B5179FB3BE79E3BC8,SHA256=854E2D0197160B5C0220993BC44C393674F1A7EF59817196F636F9352697BD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:50.634{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A862E14DF7BC9FC55180B627591508C3,SHA256=E3C04F50561F9AEFB8781207357B3079B6FBCB74AD41B2BF5410B70610AEEBC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612986Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.709{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F406-60B8-405B-00000000C501}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612985Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.709{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612984Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.709{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612983Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.709{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612982Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.709{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612981Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.709{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F406-60B8-405B-00000000C501}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612980Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.709{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F406-60B8-405B-00000000C501}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612979Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.710{97C2ED32-F406-60B8-405B-00000000C501}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000612978Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.178{97C2ED32-F406-60B8-3F5B-00000000C501}60245380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000612977Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.115{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649DDAA37480BDAC4A83265D5F670FEA,SHA256=3127E5BB69FE6593CD8A32A987E4A509905C65A52E7CE668E29C827200195E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:50.009{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CC1D5C20484B889DE2D50C846A085CB,SHA256=DFD5F6FDFBD5D2259CD9B1C5DED7841CE472ED6139E3E183CA9CF86957D80260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612976Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.037{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F406-60B8-3F5B-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612975Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.037{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612974Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.037{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612973Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.037{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612972Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.037{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612971Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.037{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F406-60B8-3F5B-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612970Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.037{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F406-60B8-3F5B-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612969Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:50.038{97C2ED32-F406-60B8-3F5B-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:51.649{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2EB704D0B97BE2A17488EA3047A556,SHA256=5002FB86F57D3ACC8158C05AA9D14A2538C7EC47B0E9119B0C6BAEDA91F22D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000612996Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.381{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F407-60B8-415B-00000000C501}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612995Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.381{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612994Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.381{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612993Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.381{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612992Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.381{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612991Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.381{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F407-60B8-415B-00000000C501}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612990Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.381{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F407-60B8-415B-00000000C501}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612989Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.382{97C2ED32-F407-60B8-415B-00000000C501}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000612988Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.115{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C51D5FBF34C51495102A00BD0E4D391,SHA256=7A5A9AF4F7307BD4187CD1ECCAF0EBEA3ED9D7A5FD37751A2A8B51F442F6481B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:51.134{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEFE059D26A5422F14438BEB428A444D,SHA256=34D3FEAB3ECD32347EA1560573F53A441365ED2FC4321836357646ABC9987B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000612987Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:51.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5064DF071F377078612F815538F084,SHA256=B69DE7023AFBEE37E9A81CE661CA46735F11D7FA0FBA9CE9747AF64452D6EB85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:52.680{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C2F319D05955CA581D386574CFF0D2,SHA256=2757B75FEABBFDB8BF4DB8FE43D744D3582F96C89EB1622A956C4555F1280113,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613016Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.787{97C2ED32-F408-60B8-435B-00000000C501}24846116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000613015Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:49.992{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50902-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000613014Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.647{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F408-60B8-435B-00000000C501}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613013Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.647{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613012Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.647{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613011Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.647{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613010Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.647{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613009Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.647{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F408-60B8-435B-00000000C501}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613008Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.647{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F408-60B8-435B-00000000C501}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613007Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.649{97C2ED32-F408-60B8-435B-00000000C501}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613006Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.178{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43693A66C2CDB4DB373622FF608A23AF,SHA256=104E6CCE6F9D47ED8383E3E8329EF059A884DCD0811471783AA601E8AF418602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613005Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.178{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DA94524F3422E31A0B098F79870D8E5,SHA256=23D5FD48273875D0604AA5C63BF3372B34A7FED82841D878B6CEE8400D56D324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:52.399{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=722913C54D7871D359F492D2921E1248,SHA256=759AE320AE2CECF2DFAF42AB63F1DDC8DDB922A31726BB2370248FE3721604F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:47.573{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58273-false10.0.1.12-8000- 10341000x8000000000000000613004Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.053{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F408-60B8-425B-00000000C501}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613003Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.053{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613002Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.053{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613001Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.053{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613000Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.053{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612999Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.053{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F408-60B8-425B-00000000C501}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000612998Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.053{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F408-60B8-425B-00000000C501}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000612997Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:52.054{97C2ED32-F408-60B8-425B-00000000C501}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:53.868{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=382744DA24E5CCD6BCAF6C9AF02EC241,SHA256=20DDF7BF5167C5C592BEC63038B55BA99707274EE038C58A134B5C70203B7CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:53.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEDEB9284FAC41F307CAC3A10271D6D,SHA256=AF3969FF5310B76A91AD6A943BA8D5C19F4A0AD0E9C9697263101BBF3D623281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613018Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:53.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7EE06C3D43899B5AD66A45DFED81D6,SHA256=B0D7A5FD4359270A8ADD879229B07B71F0316B0377D85680FD84C8E45023D111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613017Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:53.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D336030316D4AD67644163EE092FAA6,SHA256=5F532D128742BF8A81E5EA4D0A920643DFB75EAF56D1FB833B9ED7D54A6C2087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:54.837{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC97B97283F31E57DA940E010F8F441,SHA256=8E400A6441D82C7D9CC9DBCB1DB79DC5EC55C58B10847980019C8A83BB5ED4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613019Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:54.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4B480855C724177BBEA83A9EE02978,SHA256=CA93FFAEF62ADBA73222DDB80B2BAC10134D62035E9A3C7019D0D06B413E2C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:55.884{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0DA38ACCEAC84CBDD61C1713DB0F8A,SHA256=693B7EE996B4278A8D1C853690F5E9A2864E6736A66EDF8E23B9B5BCCE425530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613020Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:55.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3653EB18F96F6D48C239C57E9181F40D,SHA256=86899E739D9899ACF5DAD91097B87E8A74C96C5E0D6C5986698680D13FF1C2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:55.009{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F41FE75FE0E9D9FC5D0E532E8D4B301,SHA256=8645BF973CE3670E96C9D25BD301CF0112E661E94D7221B2911C5BBC79DF7A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:56.915{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24B83F41F509FA9B52BF06E9ACA0FD2,SHA256=D49530B3F6254F0377B53EF0E6D99F1A922C47F4695B55A0AB763DB8A94CE10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:56.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FFFA46B4667E84847A2CC5D92BF8CA3,SHA256=3C4E1B4F4BAD1067AB951F5AF743B87654CFA5D62A27B7C32F8E2A335460C0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613021Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:56.256{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16407E7DD5943D5547014E73BD6DEC1,SHA256=17B55345B828373DC99DE0C102AE2AD433E59FDF6D4C4F68A711FB7364D5753B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:57.930{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A108DAAC0F541569233F91C5820AF0E4,SHA256=51B400E745752CDCE930F6DB60BBA1AAD73DBAE1C70AB3F17AE976FAFA251171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613022Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:57.256{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11C9DE056B099D09CC2C2798C00EF4A,SHA256=6A535DE799D58B553FD09FA6ECC51CAEDD41DF9B28260509C8EA3AC1883839EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:52.683{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58274-false10.0.1.12-8000- 23542300x8000000000000000669163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:57.321{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070E33BCE4CA0E83530FC354FD2231E9,SHA256=F6EA6E0A628C7CAD16F1844BAA05F84E8D86B392673FE47AEF44DE8DECB6AAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:58.962{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479C222F31E97EDC2960B2B73C39955D,SHA256=C141181413A398282B7CCA0631328A66C4ED740A2FE49C6836B9F7A085097FF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613025Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:55.913{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50903-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613024Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:58.303{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CFACC222473A97E575A112C76843FE,SHA256=454B468793C0A6764B817FEEB5E87DEA23727809778F43777E0B669F1C0A30D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:58.446{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84217FCE7A63C94701092136FDC6BB57,SHA256=1C91E19919F8FCA3C8D6E190E7CC7A7CA2F3CB07550B8FB31BC0823B7FD737F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613023Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:58.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42F9C4AB3F9DDE419AF8B469DD7963CC,SHA256=1990AB8F051AB1D5168C1845BDF703F20DB7F4FAC2BAACE8F93C9573B783253D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:59.965{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF1F3E1B51E63F0010401AFE8F1EE76,SHA256=D5E739379B621F3F0FA4F05CFA7549E09D5D7CFA545F5E19B16FA47835C7259D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613027Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:59.318{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613026Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:59.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7880B9CA7B6E5BE520755F46B2C4A2D9,SHA256=EC58FEE443712C4FD5BA0DF1E859DE84ADA65EAABD17CC35853647787D8F8534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:59.715{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ACF0DCDDA2A9372178B68D0B2756B07,SHA256=4BFF5782D240EB355FFA886E670B2A8BA68B0334FC4EB40BFAB6FABCF5970FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:00.981{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1E7B31C583128551A302B9A0833B2B,SHA256=7B5ADDE6DFCD58A0E22DDC73C29FFD7DB84CC71214A0511CEAE5A6EA5CCB8F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613029Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:00.353{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E379F9083291D4D956CD877E11D69E82,SHA256=F971A54DCC8966C380A7977F47F2A50FB55AD86C5C32282B75D52EEB28FF5BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613028Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:00.322{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BFEDC399328EA87A25927D97C098466,SHA256=ADCAA092F88EADB605273495A4630BA430BCE7D970124E6238DA48520CF79608,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613031Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:23:58.148{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50904-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000613030Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:01.322{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19853F9C177D928737BE30E5DEF1D15,SHA256=0648170D070CEAB65C75FCFBF11E654AB28A2AE9B0ABE7CA7B01F31388D19320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:01.387{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1E335631A8747BAFAA9D335A03E32E,SHA256=ED1EFE6B8F705F8AB333D72C84E9672E8E82B29AAC45BFC3C52AF52794E61750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613033Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:02.432{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B9592026CD6E77BF6F5A6A83C4F5F73,SHA256=6926495C793229EC7601082C12F7F76783C3BD28DE9299EB36CBF89559D34BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613032Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:02.323{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F4B3F33183B04BDA44448A566C0A88,SHA256=83F3BBB3F8EBCC5B3A27EED707CEE8442FB5886DB03ACEEE6A7AA64A477CD2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:02.418{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04C8220EF502D00AD93F93A3FB639AF4,SHA256=70F287A011CADB40B18E845D8134EE919A5ADD5AA42F58D6ED95565676114ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:02.293{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:02.012{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8EE4C412375BB738A267B4EF3DA321,SHA256=8235DEBE476F3A7C0C28E6AAEA597A25F5A57E41AA7AA3C4E5DCE328F79AFCDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613036Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:00.949{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50905-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613035Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:03.324{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EB9CE26EE234C264C8E2E56E55E829,SHA256=A6FC3E10BE85BC65E0C9E3DF9D8D9126ADB964F4BF5D932DAB6F83234C8226D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:59.725{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58276-false10.0.1.12-8089- 354300x8000000000000000669177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:23:58.499{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58275-false10.0.1.12-8000- 23542300x8000000000000000669176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:03.481{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B6E44C2696105EE290ECE33192E14B1,SHA256=E079CC82428E430ABACDF7167F26ED50FD4CA1FCD367216A4827129FADC3AD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:03.028{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83B63D416939132CD67CF3C9CCBEEB2,SHA256=378F492479FF1622C84A3AD33C1927082E8B5ECE249D79E8BFE9AC9FC36CB394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613034Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:03.151{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21706335E60944F982EFDB11BE5AAF56,SHA256=C3C377C153E2FEF750688B396811E7278A5B94BC856E51FDB903D466DBCB6E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613037Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:04.358{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432778AF34DAD5E8801DE64A50146948,SHA256=4F27D6C4FB54EA5CB4D501F03942B3DF589A71D55C5CB57B547769D7467ABFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:04.559{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7951576CC55826B627E5AB2162286C78,SHA256=FB31997F9964CDC8BFCF7EBD788A180CB2281F4388E48DDF57740F9728EEB006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:04.043{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2E684339315D67D414AF151496D226,SHA256=8182E2AA48CE5B8C3F9DCECB61F10DB095FBD4228B22EB11DA13D350E976ED70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613038Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:05.358{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BDC7A8CFB59B4089F8A9ADB8F6737D,SHA256=1B7F2A98BE2E65FC1881F1A17A4089BFDD308C1B8F237B460CF166B95AC384B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:05.793{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0DB178EE359EE4DB8D9EBC86B8079D,SHA256=FAB1B0F9C8FA4CE383F25EF60DC821CE39190C5310252DF71305EB686F9786F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:05.059{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9DB3A2A9C3B7147162CC5A1EF09ABF,SHA256=E9B67DBE655ADD77B9A5FADBA4DF2961E3B88E884F72F9F13A9FC941DF845FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613039Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:06.389{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92BFEA66E6440DAC801C34C83F9369A,SHA256=0470629A3F852F403127CA7D839EBBADB0014106E5D54CA0C8E0C803FA0E071F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:02.499{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58277-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000669184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:02.499{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58277-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000669183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:06.090{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D55BF4B426D6CFB0C19C9EE38A572BB,SHA256=F4650A3E71D1F2A9C0CA482AA9AC27396A32D8624ED429E131256DB21C6C9AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613040Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:07.404{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F7A655ECC9FCACBF2EAC9EBBA4B71F,SHA256=84C551FE9A537BBDB314947CD6ADC4339A93B73A9D4781C42F212FDCAAB0A226,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:07.987{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000669187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:07.311{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31E1878BCC10CBF447AE80FCB4B80B5C,SHA256=50581C9DFEF47D5BB7D626A16E2276AA592FF0CB56981A5D90B54BCC410B6281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:07.108{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344BF1DE323CE359F0C5F51969D5F0F4,SHA256=D581166DB675670BC7FC4667D5555EF3623844CA81128848A2A9F37C0E002C23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:05.344{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local58280-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000669194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:05.344{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58280-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000669193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:05.336{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58279-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000669192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:05.336{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58279-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000669191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:03.627{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58278-false10.0.1.12-8000- 23542300x8000000000000000669190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:08.440{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C4B7A7DC5A69FDB8D29466C42FF919F,SHA256=D0BDABF2114320581E107E5586DEE6CD5A27D2D94F9FF0FDF9E231DD5FE0B5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:08.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6B08EFF1537FDB531AF949CBFFC8D2,SHA256=7F9CEADC722CA6CA4099ADB28122FDAED2746973F617EE385502F852A6D6808F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613041Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:08.405{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A6D0511429A96D67986A86B6628049,SHA256=5524396A345B6A7C4E8EACCA311A8841BF498CA8E6A953FB8F2CE4E32E667853,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:05.446{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58281-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000669198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:05.446{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58281-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000669197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:09.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=535F3613B9949A821D19F05145F26A30,SHA256=84C34975691071ED805952EE00D76D7448ABBBF3A274CF63780FD862075D4117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:09.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A989A0EC9564EA2C9918DDF4196F841,SHA256=F4F0AA834814968DA364528017C5C630B094005005B7EF827DFD1996591F8AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613044Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:09.420{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3DB99FB0DC3446CC8BCC3EFC7945B5,SHA256=82EBCD7486778524CED5501D27ED880449476543049800FEC808BE39C3D5A79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613043Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:09.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ABA54F00E7628F282B82427E70F77F7,SHA256=F2C32CD151FAEFE89801C8609344D821369036D5FF065CA6C1848433EADDB45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613042Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:09.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE3FC62E7F3DE6A9F47B1776A452D417,SHA256=C9ED058884FA96B945822B1CF854B12C579E3E099A9DAA3C2F1AD6C2FCB1BFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613046Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:10.451{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E87B7639C1538E06D8D3D98771A0D6D,SHA256=9AC84790B0853586B9840B138B2D8AD56C6CF529B6DB155450B1DB58C150ACB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:10.706{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19FBC6CAD08BC383C344E4F1CFBF36F7,SHA256=ADC72A4653AEB16A595B70AD3C505366BB7E2BE95E83D494DAA8BD6737A7D33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:10.347{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9C2DF79DDB59A4FAF19F8EB07DF2C8,SHA256=E039E1794D2E480A6C92264900DAC29C6D304FC67E7AB82277217231AD007F01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613045Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:06.906{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50906-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613047Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:11.451{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8969EC8206F0A366FE899660AFB975,SHA256=0F997FB434141ED33C972166EE411CBDF5D0D37BEA719C51ECCF7FE291F3BFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:11.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D28F597176BA8D9E2C34D3113BB2A69,SHA256=07F13D8402C7CD593188B8844931D6FAB9D4FD179338A2D46EAD9657D57DDA71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:11.784{D419E45B-752F-60B6-0D00-00000000C401}9046712C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:11.378{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032863CEF5BCB20C3E29D6663605F5D7,SHA256=4EC67F4412877784FB5A6285C670902CD5AD5619DFA151F8585A48B1EB94794B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:12.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1112E601805074061745A3E60EC38D4,SHA256=A96318EAF704EE3940969B4CD8544ACB2C5FB28EE18802CC14FB181E5BA383F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613048Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:12.498{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA678C530482A3BAD10D266ADB8BC6D,SHA256=2030068D3BA8AC3A921EAF1210CF445FE52D0A63718DB4B9915C344D14CD852D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:13.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596FE7ABD01C063E38C1C5723ACBF085,SHA256=2A9CD5AB13D1A9BCBE06469D5E20E947E4241339EEBF98D8EDCB52D021F88718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613049Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:13.498{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653AF25CFD4511BA3B686D31F10207A7,SHA256=E65E6E9504BF427BE53EBC08998BCE26CD39BE368B41107A9E1762F15DADA02F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:08.630{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58282-false10.0.1.12-8000- 23542300x8000000000000000669206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:13.097{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD6C777820E5C990D76538BBAFFDD90C,SHA256=C55D5EF71F6AA7F2096CC30AE6C454DA141AC991D85EB6E52B35FEDD3F162825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.722{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F41E-60B8-0751-00000000C401}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.722{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.722{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.722{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.722{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.722{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F41E-60B8-0751-00000000C401}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.722{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F41E-60B8-0751-00000000C401}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.712{D419E45B-F41E-60B8-0751-00000000C401}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.706{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7612FEAF5E6DCED9E93DD1A8E9AE7631,SHA256=0A4DE923D2464E7E00EF3C6218285E3359BB88FF16C9899732E8BED3013D7029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.425{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088FFE64C00D029D0ED2BA0725677CDA,SHA256=036B1B9183F34574EAF771C14FF9C4A2581D451F9FB4C430441BE398ADACE276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613050Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:14.498{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E95CCB09528E9DF7887C9D8DE6008B7,SHA256=464577CD9F4FB62BFEB6A7C36FEDC96D375CC1584A848FD75650F65B74DF1326,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.253{D419E45B-F41E-60B8-0651-00000000C401}21685948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.065{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F41E-60B8-0651-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.065{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.065{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.065{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.065{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.065{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F41E-60B8-0651-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.065{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F41E-60B8-0651-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.050{D419E45B-F41E-60B8-0651-00000000C401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613053Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:15.514{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3A3C896BDA5DA497449EA3CBD7D1A5,SHA256=578F5559ED6667CD9BBA6B7CDA3721812E46184C1226631A60D7B13DAB852B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.909{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D401D2DF5B988BD3AD8836F45A6B5C3D,SHA256=DE6371B749C907295B7F869DA08EB6AFEDE846D23FEE43BCF03E24F93D29406F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.909{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F41F-60B8-0951-00000000C401}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.893{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.893{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.893{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.893{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.893{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F41F-60B8-0951-00000000C401}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.893{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F41F-60B8-0951-00000000C401}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.894{D419E45B-F41F-60B8-0951-00000000C401}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000669237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.612{D419E45B-F41F-60B8-0851-00000000C401}56844948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.425{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C87AE813D67ED2A8446F57D353D0544,SHA256=D7DE62C8077BA9777F5C8D7254CF3C6A7F4C175DBD8E92BDAE006334BF0F9A5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.393{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F41F-60B8-0851-00000000C401}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.393{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.393{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.393{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F41F-60B8-0851-00000000C401}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.393{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.393{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.393{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F41F-60B8-0851-00000000C401}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:15.394{D419E45B-F41F-60B8-0851-00000000C401}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613052Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:15.248{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4551EDD3520FD49FE17C46059FEF4EBB,SHA256=4625BAF441F6CF242349F12A89D1C91F9FAAE253D657492DC835C10AA388122F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613051Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:15.248{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ABA54F00E7628F282B82427E70F77F7,SHA256=F2C32CD151FAEFE89801C8609344D821369036D5FF065CA6C1848433EADDB45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613055Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:16.530{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEFD97FC013F2FD299A77D341E9C045,SHA256=BE2B1C048271D3AD2EAE13091CEB99221EDD4B8659709394D32241A91ED57941,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.534{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F420-60B8-0A51-00000000C401}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.534{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.534{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.534{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.534{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.534{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F420-60B8-0A51-00000000C401}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.534{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F420-60B8-0A51-00000000C401}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.535{D419E45B-F420-60B8-0A51-00000000C401}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028EFB170B71709984EBE7BAC42DA407,SHA256=ABD7BCA139626B676519CD61181BF266137746EEEAD20B02045DE16F212B0C8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613054Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:12.937{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50907-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000669247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:16.050{D419E45B-F41F-60B8-0951-00000000C401}66605908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000613056Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:17.545{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346F64A9905B1E47A92881506DC82914,SHA256=40B1255495422ED0E84C67AAC37F47F45CB0E32D33C49E8189301669EE65E502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.862{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F421-60B8-0C51-00000000C401}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.862{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.862{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.862{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.862{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.862{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F421-60B8-0C51-00000000C401}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.862{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F421-60B8-0C51-00000000C401}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.847{D419E45B-F421-60B8-0C51-00000000C401}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A49E1B5DE85B02ABAD3762550BFE33,SHA256=F9440F30A9DBC697966CE3A7F26D036FBCAC326D92C40CD6A5FCBDC3B5429406,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.347{D419E45B-F421-60B8-0B51-00000000C401}9005416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.175{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F421-60B8-0B51-00000000C401}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.175{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.175{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.175{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.175{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.159{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F421-60B8-0B51-00000000C401}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.159{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F421-60B8-0B51-00000000C401}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.163{D419E45B-F421-60B8-0B51-00000000C401}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:17.159{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FF060FF04049682CD0729C8B4CAFDB2,SHA256=7F832644BA0D8DBA73317C8588CD9A7E4B103A348BDC35FA121681B5994798A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:18.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80222BF9398B549AF0385513B41FBDF0,SHA256=27F41A634F16CE04442AA94972B152A240B532344CDE4D3005F003AA57212A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:18.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A3E0D818EC713D71C209F655559B3E,SHA256=9CF9EA01E5AC39D0C01FF47A06AB2760657080CE7BD2A31F5B2D26A48A6322CC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000669277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:24:18.503{D419E45B-752F-60B6-1200-00000000C401}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7588c-0x85414e94) 23542300x8000000000000000613057Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:18.545{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83739A25ABB0AF4CB92C7AEF1B2BA5FA,SHA256=ED9A96C6813D546E7BD3CDC9B9B394EE8C951755B4E2277A195C79D6A88232F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:14.474{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58283-false10.0.1.12-8000- 23542300x8000000000000000669281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:19.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF2421A0BAFC1719735BB8DC318C321B,SHA256=6E23AA3D40517D2E64BCB66E9B3878573C021E73F121657B1662F6066E6074F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:19.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BB57789495EE6177BAF6D9E4AA764A,SHA256=E61E42F4447D4CCC8A82DEF5E3DD06C8361E4F1F8592E1F9EA1636AFBE247E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:19.545{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9605EB59A69208F18F439813432C62B0,SHA256=D4A9E5C0C133618C45135DD23196375D7031E2B25C6EAB2942F4D10D7D0924FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:20.977{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C6E7D4C15A579A109402347C66F734,SHA256=6F63C8EC3F0B5502041F60BA1E7189974D39DC5DA9D0BC5BBC189B522DF2C96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:20.553{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE12AC39881B020A8464999D5231A48,SHA256=91BE8E49E7826AC94CE938B71A5AED0E2AC1FDF3A0002A89E18F822E1AF11EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:20.633{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B53702A92B02FF484619A2A758329D,SHA256=3AEE487318DF4ED5BEE4FC67002A79D093447C3C3CEE6C80240BFC3FB0B82911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:20.240{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4551EDD3520FD49FE17C46059FEF4EBB,SHA256=4625BAF441F6CF242349F12A89D1C91F9FAAE253D657492DC835C10AA388122F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:21.553{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BC2FCD6C858CB8489671A8370B52C9,SHA256=97F81CFC980AC8F51BABFB185C842C3AC7155CE4583BEDDDCDD72399ED363F1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:18.031{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50908-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:22.553{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356CA789F3B676B47E64AA3CB943A202,SHA256=D11F4C4DAC90083443DD9EAB62783A978A7F5E24A0944D87D19DFB6628DC9E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:22.133{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF949847C6273EACA2DDE8D913F7B9AF,SHA256=B66B335532564887B8011076D89EA5CFE7A2DDEB65941A489EEA0D56E35065C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:22.133{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB192384FD13503E347CCC5443E3CC78,SHA256=77C3854017ED9738AD1046EC330FA8C96BF530B54600E51A6F944B5FD634EB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:23.553{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8FCDE89ABA75B27DDA37420478D634,SHA256=87BBF98CCBA53C4B1333054427EEA1B077697D924CF535A848731EE92CD071F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:23.290{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2453CD7FE6315DD15A9D48874149F248,SHA256=AF8CCEB6819721D241CEB171B0C53E121D1C3F8F5CA7142A3C42E35D7727AE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:23.133{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED01D2133C2728082A6272DAFBD68E1,SHA256=8DC08F88FE7AB320EB1D54EDC9F9B2F07A907379B727C6C6257BACFA2CE837AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:24.553{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020F16813AD698F2F11F216BE39B2AB3,SHA256=88A8BFFA6D40BC995EC8B483A12385BE9DA5392BFDEBFD7CB005FFF848E45FEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:20.495{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58284-false10.0.1.12-8000- 23542300x8000000000000000669289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:24.274{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F40309DEF781F8B40E7A97D2C1016FB2,SHA256=6A5329D9348DC6CD251D530838F4940C0CA1D12E6F6F75B3597D95D9CA35BE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:24.180{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91323E1F1D1399A9026E7372BC0B0F5B,SHA256=51C0665D50F8B1A1E4B8C8C4CB00306ED1D81E4A3ABABA419D089E77FE9E285C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:25.462{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1637BC2DB86B6C0674CFEC3D5F5D49CD,SHA256=59DED6A4CC7471BE2D83007F964B25DFBFE9625E89110E155C6FC5499AA96749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:25.196{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F8ABEA705DECCC21787F3B16B6A045,SHA256=FD33CAF9D160354C1C8284E918584A7052D0C14D675DB3B85160CC486AFED3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:25.568{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94C5334A2AF056C7437DAE54E17EAA5,SHA256=E7FCE1AA60BAEC1F69352A0E8526E5EAAA1D50AD8E2EBCD74DEA8AB1B9DBA3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:26.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE190F22023112AA38E22F9C8DB64C2,SHA256=D58AA87E2A413A3CC07497613047E4A89463332ACAA352D7E0A71EB154E99AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:26.618{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E217E064E276B9F3F8E4DCD80F82E698,SHA256=55781AD4A87D8D351C3F7D9C0812C01D098BFBC1CE2E9BE9A5ACB0F2BC47DE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:26.212{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15042D2DBAAAFF8A422840C968C9CF0E,SHA256=5B468D4AE5DE560070BD02C16FEE833A5529627A5281AB28B6CC42A92F343E46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:24.038{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50909-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:26.240{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7C586E1C8B0DD03032F6D6DEC5F6CE5,SHA256=4EE030161B7DA942C1D2C6112A3734A88B604BA59C6951EFDFDDBB25ADDC5F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:26.240{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E200A6553C51EAC903A1FC0C4504424D,SHA256=25F6C3BF02D094A311A4E04B52468D27772B79EB93EE964C55ECA9560E4459CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:27.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6872BB0E7FEAED18BE143DF724EE7247,SHA256=86465148F19D69B1AD9EAE2795EAC792C5A837FE47E2DDB4934F74DC916F0755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:27.743{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C014A073B0F16A39F1CC52EE3661E7B,SHA256=F0E72AE2CFC49EFF75BE89539A872A531426D14713475D913447AD20F8426204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:27.227{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E25C160C0B9C98D73B16E50D89F713,SHA256=A4F0E80534213B335AF4D91EB39C7236EDE25A090A53AD5F5E5E83D5EE2C1737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:28.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB19D9E8AEADE9A47C7018BD48C63BFC,SHA256=62FAA40550173CAA6320EAF1E27CCF5AC9DB7711642EF255FCDDA93A519656CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:28.258{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098E0F71B4CD07A546FE2D7957C4E58E,SHA256=8A7D734F987623EB19FD3C681E03F080D8930B7273526309FEAAF4F93ECB6C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:29.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94C3FDEC709C9098F96CDD84678CC93,SHA256=FF6D93EB0F8304A271E95E7367A8118B870B47F0405E1BE0FFF083B6F620ECDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:25.667{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58285-false10.0.1.12-8000- 23542300x8000000000000000669299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:29.274{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15873977B8286A8FBBD98F3753AF29B,SHA256=067325E63506808D27849A62B767F278F14E175088FB54EDCAB29E3122144DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:29.146{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9b846c7.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:28.993{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=951D33841576C71ADDCF850E6B3BF1AD,SHA256=178FAED9E2B47EAC522162D3A224218795EF4BE7E3A4094DD2335AC7D580FF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:30.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CA021E13A748D97D2CD2BDD0AFE46D35,SHA256=AE7F842E02CD796DC48527EE971455A54E4AAB1DA936E45E4AEF95A17BC57285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:30.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54D2E87F5B8C6A2A240A38F568A4415,SHA256=D6D0D412CEB056A76937F17242E0DAC70E7D535D2FFD85B2685528B298D35282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:30.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C418EDAED86E5461760994563DFCD64,SHA256=EE04B89338E06DA113453F5AB4E7D9906A8522A439FBE7EA643D0FED861CDA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:30.493{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44487C9B562AA70A067780047AB0317D,SHA256=6B3ECC3027284A39713B04E4601E54E92E7B62735B1233FED034AB6CC63A3756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:30.337{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A5DB28964CEBED2033EC8D421E78FB,SHA256=3B2DD863AF94CE00CF32A890D5F3FC6F8F1DE399AB97EF0C46EA88741E72534A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:31.633{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597974E37283A23AB368593899BF0654,SHA256=D01032285442E493EE08FE02C5D98FFF5805AF18C8672E30B9407305EDB77A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:31.352{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D5AC7DF5D6FB39136D858354669309,SHA256=9EA8A1DD05CBD75BCF1F14C0C6AF4ED4EF90735EFB2D67851B6EDD60E1E8EE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:31.631{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E775D0670AF08D363FACDEA3BDCEBF21,SHA256=48C01814D0EFB928FFA5D9324F5029E69CBA90F7CB9F8CC1313133CAC1A52E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:32.678{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E11813438A4085018AF7C358F994906,SHA256=9537BA25D6C63A94FEF35DB8227A2B0D65E83DBFB304D7EA2B23B7852ADD1A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:32.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E9702EC17FC34C4C4A82FC34F25A4DA,SHA256=790FB5283C21D9AF5F1E4FC666F58E568747423E45D8DA41C695086ABF330EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:32.368{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE9B33F73BD1A86EC55804CDE349C9F,SHA256=A457FCB760C8B87BC350A27FB936641E516E35F3C903C269B9C09749E2E673FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:32.274{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2F43666CAEDC373665E2EF7631ADC4CD,SHA256=AD2AD4216EE4592295B03CFA9F31B7F97989467D3BB745DCD9BE1DF9825A36D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:30.023{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50910-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:32.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F1D22D1A9B8FFBC78D71F29847B50F6,SHA256=7E7AD94E0CB96351F5BE70631A55A051A602F8A96CFF1F5731978C0FD82299F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:32.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7C586E1C8B0DD03032F6D6DEC5F6CE5,SHA256=4EE030161B7DA942C1D2C6112A3734A88B604BA59C6951EFDFDDBB25ADDC5F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:33.678{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BE2B898B32CA43ABB31DC2B83CA76E,SHA256=B71ABD5755C5C0A9F0F035D19CF5F2D5826E1E86C41689C043B776CB6D0EB062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:33.774{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04A587EF1279864235A5778AD920350C,SHA256=8A05994AE3F62E85B2BA9536787160F799523A9D01FC1EB8F373AA74F9720491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:33.368{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D815ED9C8215CA5B128F39F48C9FC3E7,SHA256=620F6D2F36A3D0FE488C1C39155CC2DF66F07286D2AA9D1CCA969ED5DDE28076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:34.709{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BAC656E1AFD2E2E7111F0479FB3B0B,SHA256=56926FDA7E0075EB06A90CF74CDB95B289138C7AFF5E474AB6BDCAA0B49EA765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:34.383{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BD8DBC1BA641D9FB263DF46104BCCA,SHA256=6AE14696D148E245867E73A587106D5F518A9778E7D9B4737039C771CB0618C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:35.709{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B36C0FF6EC107A44FF9DDE88FC076F2,SHA256=757BC7C4AC9AEEDA32D349A316C813A5B740198F5DD98DDE4BF9841AF53E23FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:31.651{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58286-false10.0.1.12-8000- 23542300x8000000000000000669312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:35.399{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3EFDED808B96050133C47777397DD4,SHA256=6F850F643700E3B081712E1C417A7BB1A99BB8176E67738AB347DA8B2B8ECD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:35.102{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D1445EBF17E6D55C452647BD010764C,SHA256=E0F7DF9761E5C6B67166A89B7A4C9878957D5E0B7A1E1D77DB4ACC05DDF6C85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:36.709{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAD6CF279BF45AFE5F25239B1F88B42,SHA256=67CEB9EFCDAD6CD659DF335C114AF77914A59C68100B80AAFF041D1F2C04C319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:36.415{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64B61D0105177B9ABA0CE608E7A0849,SHA256=A2B09157EBC3A18CDF4EBC2FC9F07E94BCD72BD1CC10122D08AAC93E7F0A689E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:36.133{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=668CA410C6A39EA8B9813A2C1A4DABD7,SHA256=61342170591699ED292C85C58F346B74EC4D7F5514EFA28074A1BC489657C27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:37.725{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4152346D7EAB2C5015F49618B541AF8E,SHA256=C413568E2E14E8F3A53B979D87FAE36FAF156B16110D1FEB0B4DA8E1CB088FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:37.618{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E8B3B3B7F2EFCD9D55B144CCF61B988,SHA256=C90CDF1296109CD8CDEF2756072B033F6BB9168793E9EF579C84903C36E9B4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:37.446{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00BAD606FCDBC1A55443AB35DAFDC8C,SHA256=908B1CEC197017E6FCFA82A87F8487C88C5D9C15F48C355F32115FBC48832D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:38.756{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DFA3197AB9B111DA4DEC32D9B054FB,SHA256=273901B73EDA85C2C0EE23710DC19610A1C3F951291FE8D9C371D6726456F4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:38.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3876DA3D4905E2300576D6B003206C7,SHA256=8BBFC42D5656278DFFC7F82032C13E331E5773FE570C83A16F2BD1356A6ABEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:38.680{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A60A5819561B1946B81C45B189CEDE,SHA256=A80BD93C016C29F904394C0DC1C183F35D44A4A806A2712D62D347A40FF47D25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:35.913{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50911-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:38.240{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC2998AF4C5D67F2FEC6B32272839313,SHA256=17FA1E64FB45B947FCDB9ACDAE3D84B114BEB0E3CDBC5222E1DC066632897AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:38.240{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F1D22D1A9B8FFBC78D71F29847B50F6,SHA256=7E7AD94E0CB96351F5BE70631A55A051A602F8A96CFF1F5731978C0FD82299F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:39.764{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49266AA4137425E79528A98F2CCB569B,SHA256=C7A18BFB88B218FF66C633CFC42E31241886C8559E778BEEB73C8CAAEF1CB6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:39.892{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F94D042C4952D7DFDF04389A924C6B8,SHA256=7F2BE91BD9E7A9806BDAB3A194B97EB49507D9197F4B03046ABE0F706821E4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:39.704{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AFC04A3D1666F5ACC5B74BFC534C96,SHA256=818324520644A98E648357B20A0F47BF545609B25AF4F8FB7E55531BE3C8A0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:40.720{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA355BC4DC13F1DB01CBCB63BF9AD722,SHA256=3A6CD9899FB1A7FD2ACFA0539EB73F4D278AC5D03E0135BA54CA3B4AE10FB124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:40.811{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC1155E70B0CAE869AE83820AA32738,SHA256=B3D94253A257EFD3F836F4F2AF1A23133B0D71FD34D2ABA2DEC7C5EDD919712F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:41.827{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434CF9B69F57C625617C92850BD62986,SHA256=298D47EAB3735729E6E2F60B059E6894FFEDEE56518E862D58AFC1A6E41B69D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:41.876{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE772A90290BB9FF12A7D0EA270B773E,SHA256=5EE48AC9E9D51B66CD01CEF89094219992B667283F0DF04B30063EE72F9BBE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:41.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AF5809679C26517F2C1F8FFF267C4C6,SHA256=C5B8CDF2E8A4AF8CD269FDA53971C91175C2C392104313AB9563ABD1B12F4B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:42.874{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22CAABCE1727E7C7EEF488124B98450,SHA256=62B6CD8EF2D071B6D43BCA6A9078412DA011BD5C4962C6294A856C67D84EF076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:42.892{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661EFBC360DF70758C8E0869A7ACB269,SHA256=9910DE96A123992B1E868B31B8EF21FF5ABB76B34B2AAF612947C93BCC8540D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:42.173{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F850AE5416643D87DC061A1AD2404924,SHA256=0BD2864C542C7A990A47A4309D1B1F079D68ACC73288FA3DB1C8328568FEBFD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:37.613{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58287-false10.0.1.12-8000- 23542300x8000000000000000613098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:43.889{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483EDA9603498A75FA0CACF8448CA4E7,SHA256=97477B4585BB3C2B4AEEFF08919AA43D6FD419292A4B6ECAFD8FB616DC6FA755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:43.908{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AC6324E7EAA57F9FEF4CA2ED98A902,SHA256=4AC9C2E42E46A5F47C8E39650D391DF06B28F0CC53650F644686AC84630A22AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:40.938{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50912-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:43.093{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC2998AF4C5D67F2FEC6B32272839313,SHA256=17FA1E64FB45B947FCDB9ACDAE3D84B114BEB0E3CDBC5222E1DC066632897AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:43.317{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ECE1485D0316F9E1D9781AAAFE41C4C,SHA256=03D67B19C47CE7504F2EF00E9206FC28E7FECF7442044B6EAB686F80A76A4DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:44.923{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8672FF9023F907F07297632CABFD12DD,SHA256=E70D774D37FFF4464B7761952FC66554F805048101F5F42F0B0FD089C292BF0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:44.889{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC67DF609FA93095155136AF02FAFAF,SHA256=B88D166D9D84ADB232F46CB04AD09154EAB5ADD666875142073267636C700AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:44.108{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B5A8811FF1797FE69B4BE5141AA8933,SHA256=CB75967B3EC675097F9036FC7E47BFC8F5DB6716D2AF6C2CE64CCE34C15610C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:44.626{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CAC67A041D1E3FED4BF2B638E77AE94,SHA256=D6576153D47BC371C212A23ABF59DFC1199526DAAA3EE54DE589DE963D542A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:45.939{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27B13264866C61274804E406F8D8FD6,SHA256=A7D1342110861B428671D214882940486F5DCEEC83EAFE1CA34260B9A5E0FD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:45.921{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBE609BB2D226E403CFA3A301750FE4,SHA256=0BA30072657DF82BC3117067BFAE5337F71696F5F9A9335F525C5F452BC7ADB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:45.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D9A56BABF0D52A86A05B5BA42C51F74,SHA256=1CF8A23075CEBFAC2D7F3D6871DA3692808E017FE6F72ECF0AF8E84512E445B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:46.954{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E9D6542B30CFA37CD6E00845FA1335,SHA256=3729393A54FDF5662C492537A16FAE6E83E278A95F636F34C291FDAEC9EE4AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:46.936{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F252F1CF2219729C718CFF7F17E62F4,SHA256=07ED7805602DF26CF7847B7A599A05CFB02B110BB0D1E5E1CA5C978860CD0446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:47.970{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC641564E0C508D5D74FD5DDA9F1A54,SHA256=A1E3A8639DC1066469652376A51C44E8EB8EED45CD3C2E4781AE7CC1D61946FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:47.952{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F33DF56E4D6B0AE05149D3F314B3CF,SHA256=D3890D7605649CDF061993FEF313B9DBE90AE6D24A2476D630D33FC7C9AD6DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:42.644{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58288-false10.0.1.12-8000- 23542300x8000000000000000669335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:47.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D76ADA433C4B97E8F39529CDA782884B,SHA256=A9FD1E36101B75C1208988F1E0210435D304BFE4E0D889526ED0721758B89A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:48.986{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FB7E77BDFD6FF1619F3837599DD340,SHA256=D28ADA448A7EE3187F7BA5208F53FF4C4D7936BD2B7260F6826635AE06C9C01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.952{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0995677BDF9324A95D40C0DEE997AFE0,SHA256=7C63117FF5E760400846AF5366EB96D2AA11052D898B8368B9FA776679808156,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000669339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:24:48.658{D419E45B-752F-60B6-1200-00000000C401}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7588c-0x973bb508) 23542300x8000000000000000669338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:48.236{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D7894B8625738C7AB45CE4E8CAA90F2,SHA256=2FF51BEC7688C213235D12F48E62BB5508FB03EDC57BCB5B91342E8AD1654385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.702{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F440-60B8-445B-00000000C501}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.702{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.702{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.702{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.702{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.702{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F440-60B8-445B-00000000C501}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.702{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F440-60B8-445B-00000000C501}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:48.703{97C2ED32-F440-60B8-445B-00000000C501}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000613124Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:46.938{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50913-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613123Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.983{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BC8CA4BAF229995E60707865ADAB19,SHA256=6AEB67495EC80DE5AC3CCB73E0ABB984D1B3344E9042760A2F76AE7A950D323D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:49.376{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3464A5DF87D5960B74853A87154A836,SHA256=5E8389D9BF1E642D1D3A7AD727B118C2C538A7E2E876E95DBFF971240519D5FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613122Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.514{97C2ED32-F441-60B8-455B-00000000C501}45524276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613121Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.374{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F441-60B8-455B-00000000C501}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613120Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.374{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613119Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.374{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613118Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.374{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613117Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.374{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.374{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F441-60B8-455B-00000000C501}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.374{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F441-60B8-455B-00000000C501}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.374{97C2ED32-F441-60B8-455B-00000000C501}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:49.093{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F686370D91CD9CA6550575FF834A8B6,SHA256=1F5C17715F8DCB928C9B0A58A6EA896A6C1DBFD16BACE5D2322D820DEFBC8909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:50.611{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78696C334765C907AB917CD2F6138927,SHA256=1664442112A21AEA554D95D776F845BBD8165D0DC5D404106622609B24B9E8EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:46.065{D419E45B-752F-60B6-1200-00000000C401}480C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-233.attackrange.local123ntpfalse13.86.101.172-123ntp 23542300x8000000000000000669342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:50.001{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A41263BBE8D3B1FE7EC305A861DB86,SHA256=1EE0FC9DA38C3F554D0DD5349003BA5A643D42EBD0561073FDC0B26A507AE8C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613142Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.686{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F442-60B8-475B-00000000C501}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613141Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.686{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613140Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.686{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613139Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.686{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613138Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.686{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613137Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.686{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F442-60B8-475B-00000000C501}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613136Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.686{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F442-60B8-475B-00000000C501}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613135Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.687{97C2ED32-F442-60B8-475B-00000000C501}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613134Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.452{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B4510EC974258B762B30453251929A8,SHA256=6EB1E41A18C3592A4B29C767C29CDEECFCC46D364CCE0B3F203921B4BDC7219A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613133Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.202{97C2ED32-F442-60B8-465B-00000000C501}5224852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613132Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.046{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F442-60B8-465B-00000000C501}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613131Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.046{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613130Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.046{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613129Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.046{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613128Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.046{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613127Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.046{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F442-60B8-465B-00000000C501}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613126Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.046{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F442-60B8-465B-00000000C501}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613125Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.046{97C2ED32-F442-60B8-465B-00000000C501}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:51.767{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F2FCEA6E3D3C2CF2AC143E67B97F01,SHA256=EF4A1A1A72BA19DBCAA2D4249A07EA5C29BBF3423D177DC0A7D4676C824E5E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:51.017{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0490246A90BCA0DB9B6AF9F484BD632B,SHA256=6BE4BEFDC954F8CF6CBF291F1BB444CCE18C2B9E5F2D1B63DADD719C947660A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613152Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.686{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92087CA591198A177C783FD97C2EE587,SHA256=85389A3B5739CF23DCE45266887128E9134EE907F59F535C60E8BFEAC65919D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613151Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.358{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F443-60B8-485B-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613150Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.358{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613149Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.358{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613148Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.358{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613147Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.358{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613146Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.358{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F443-60B8-485B-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613145Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.358{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F443-60B8-485B-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613144Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.359{97C2ED32-F443-60B8-485B-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613143Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:50.999{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D937944722E5AC78DB8B167173A1A6,SHA256=6888FA9D870E6DD409C8170FD2BE2ED4B6731E4F8F290FA27115C97CC0A8675B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:47.675{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58289-false10.0.1.12-8000- 23542300x8000000000000000669347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:52.017{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E20D90DCD9B6CB61C9608739354F88,SHA256=5D9C55D5261165E47C2B6A2FD44471D8A16C0B9EADC478E324E50D930395D46D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613171Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.827{97C2ED32-F444-60B8-4A5B-00000000C501}5961012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613170Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.702{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-B700-60B8-B952-00000000C501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613169Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.702{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613168Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.702{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613167Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.702{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613166Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.702{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613165Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.702{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-B700-60B8-B952-00000000C501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613164Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.702{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-B700-60B8-B952-00000000C501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613163Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.703{97C2ED32-F444-60B8-4A5B-00000000C501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000613162Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.155{97C2ED32-F444-60B8-495B-00000000C501}25084764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613161Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.030{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F444-60B8-495B-00000000C501}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613160Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.030{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613159Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.030{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613158Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.030{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613157Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.030{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613156Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.030{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F444-60B8-495B-00000000C501}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613155Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.030{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F444-60B8-495B-00000000C501}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613154Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.031{97C2ED32-F444-60B8-495B-00000000C501}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613153Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:52.030{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640A7D35A03C02E52CDD33E6A5E4B4A0,SHA256=49B181D7DB9AC17228BB2CCB67579A3E13E2B482BC5A4001E79AB6FC82706792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:53.267{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=749C25A92559877F824B5D7550CD1000,SHA256=50597B9CC7733E6173DAAD51D94DD0AFF0C3C6048268496047008A664FB8B0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:53.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9437629277002C5BBC00CA5D2EA99D9C,SHA256=F27E81A9AC80688B3F82CCD6D4D9A03D55CD9792F74344E59862EE9EF9E10A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613173Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:53.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4316FF1FD2D063D78C1EB9883C015FE1,SHA256=4853BBC29B7A84B16B06DCC9818E26CA38EB6F9F19FAEB8F0750B4BA35682692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613172Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:53.046{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2772473395F29A6DFEE9AD5ED4AF61,SHA256=67476E246129BCE26DA4CD3779C444EA562AEDEB17AF84FFE338EC3473A09D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613174Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:54.061{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0724E8748651357C6F8E06F266683E,SHA256=6F4F5D1B4D0B1418E1ACE7F8D0A22D44772BF96EEF9054A2E3E890D8901BE890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:54.470{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3922FE94CCFC7F76C3F0DD152A24912F,SHA256=91BF2AEC3FD5716B4D779405E4F5CFB438243A2BDA8821860AEED19992096FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:54.048{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF1D5A7976FD0E093208EB35E2DA40E,SHA256=B0B5BB2A60E3FCAAD66B437ABA376D32E994FFD95897D54ACE307FAD340E094D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613176Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:55.124{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC2D62975ACF478951B7303ED626904,SHA256=FB486A0AE747B53B7A930FBD78FA96C42502F87B1C1E83634C434D454B25B8D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613175Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:51.969{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50914-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000669354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:55.580{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D44CBCB8BD443A017C3DD2855ACC6EA,SHA256=1DDEFA0F49DFF18A1C526C8A2A5E525D78F02F9D88C8DF943105A8DDDCE628DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:55.064{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF84E5897653FE8E7C8D6F1511AE5DB8,SHA256=40A9741A1C4958EC0AA83259B9B42D2D5B572645F6B1583AD94B7ABB99AA0628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613177Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:56.171{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1212CF8365CBAA75EEBE675058838A22,SHA256=6A00311157E5D1F8CE243BDEE30AC31CEF88249F00836E77ECC5D57585DA3155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:56.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72E827EB72AF70AEF6D399EBD9B5138D,SHA256=0281E5C102C0180FAEE89479EB15AD9C075F77B5E420FAB40048CC406A83BEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:56.111{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1936D06FE7A7D2615A2402DC78C1F9,SHA256=48372C15A67CD9B010605CA68DFB6D07CF7D5DC00D703410A5EBF164171B034A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613178Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:57.202{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712CDC55F61C0C6FF87FEC07E8EB8700,SHA256=F929BC17B7D80CE4E6E955F2C6E0104F292E92CCEA1F928092837CBA7DCBE5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:57.126{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1C1E52376E8678ACFFE0637759BE64,SHA256=B883F08F7C4199D775B27E92F18E8710EA911AB1C3875CB79927FA9AE23D74AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613179Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:58.249{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1536853577536CE768E7316AFCFF5FAE,SHA256=A0FAED7D3D68CFB04818459A55DEBDF4790EEE0B1D3BFD085F4177F6C9A93CD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:53.644{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58290-false10.0.1.12-8000- 23542300x8000000000000000669359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:58.314{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C297F7666EEB8A302560624E03B9579A,SHA256=73B390B2615BB54A1D4883A9EEBAF36721110BD0C6E654C862A34BB73D344F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:58.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61053DE212AE0BB233F720611A50F75F,SHA256=2AB4BA261CE0D8933378A3739393762A79BA516E8C07050B51A9630928D3A3A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:59.470{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77F9980A4899B96458B2F0B14CA75A80,SHA256=895476879CCECCBE59042B897188E2F6035C3E65401918F8B8660B1C45FEEF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:59.267{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4655CC000EB46E3EE95684ACFBDAC304,SHA256=64268996DC0C916E13E6263CEEE9C1DA4FDDF2D3908328120B3C1D932CD571FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613181Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:59.343{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613180Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:59.249{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922FECC88DB7312FC9DEF92A00DB9A7E,SHA256=C4A97005BCAEA958F4571C5DCB0AAB5BDB029A53D190E5453D98490B5A15010A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613184Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:00.251{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E448149FCCC4CC985F05058F72AE75,SHA256=CFBD6E7F961B082E75DAAFDF9C4E6DB8D334F136D703FF4299746F96C3546DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:00.597{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC73DF2800EDAACBB9BCBF1450382C1,SHA256=274FAD1A0C7C2B9E22CE33A81F152ED23571152538C4FF8B1A97AD330F977715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:00.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC9FA52CB3F06B54116742359BD5959,SHA256=8B97FE86ADB3FAE2556AB89A29DBE2C6FB792BCF9C5021E16B31F01F312B25F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613183Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:00.172{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E296D25751373F82ABA7202A299E602F,SHA256=5D674B050E74FA4212832A2B67527F84C612619388BF8A29723453747D25E029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613182Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:00.172{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D567E78F6906EBF53B4534E86E8D6DB0,SHA256=C046A582A5535AA9317C16BE1F25829C55D59343149E5A79748AB6069E5829C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613187Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:58.174{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50916-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000613186Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:24:57.906{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50915-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613185Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:01.282{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB55E7E305540FD310A753B5551336D2,SHA256=1D379B427F6C993BF390E4E04C001FF36A06598993680470B6E2781CDCED44FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:01.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B59AD22C6931A99B9304FAFA6B6BEE13,SHA256=B0C236322200B6110197426B35DD45C444D613127F16376F6ED42623E049EAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:01.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA484DC253038FE50AC02801F089A921,SHA256=4E3725370B42596BE757A6C1CD8504D5C52F095C3C0E0970D794CA393201ED18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613189Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:02.438{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E926F926F0896231377D2023D924333D,SHA256=4C004BC3EF3251D08714E2C87795D3E2EC57CE56D2CD965085C18FB6A987F968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613188Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:02.282{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D4E0D44485A54F922826E75AE4ECFD,SHA256=B4266C47533BE000E310F84542EDE62E939064E43B74F6E1CF0844CE95ACD401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:02.316{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:02.285{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B421BDB5640993E993E92E12992A1030,SHA256=4BB17AB6232F7F8ACE4B957760EC8E577DE2AE135EA0F4A87474241C935E4FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613190Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:03.300{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDC5974DBBF571A9D1B83A12CB2E984,SHA256=E7066749F4ED4E7119AC623C05195A3761E0018ADB03F1A4E5EC793A38E815F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:59.755{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58292-false10.0.1.12-8089- 354300x8000000000000000669371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:24:59.661{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58291-false10.0.1.12-8000- 23542300x8000000000000000669370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:03.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C726D9B64BB2932C7CC27ECC034D1B2E,SHA256=84D55BB1ED227D0533DC72204A076731793F368D85E68FB730D6FDAD158B344D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:03.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2D73C24ECE3DC98A5B09FC98C39EB94,SHA256=FD18CF1F5D30DFE84A7D686AB2B26278629D46CC8C7F669524D574533972EC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:04.488{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF5E336731876D9F3533556B3A7B8C0A,SHA256=AE1124516010DBA3A5DD29632A8EFD4FAAAC91EFC509770E0A202F40439E5E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:04.347{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685E80DA8BFF222BB5FA3366125455FF,SHA256=CFB49D206C8916DBABEDB33A1AC30950AE0E35E756668D4F27550FB65FABCC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613191Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:04.328{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261BC2915984071E737268193B9E15F3,SHA256=333A8A71C4007E868E3B2160479D882F8E247FF46C68D7F37AFCB5CC31314CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:05.628{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3306BBB6098851F7CA40B28280A1429,SHA256=283CAEA8ECEB347439E4BAC80EBD78FCBCB841D3A550A1DFCE4C1117F43019DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:05.566{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B636AA4085BC32CBCB36CB9D405D51,SHA256=0F4BA1277830DB86349D0B542AC075F8D316FF901270B42A75D012A43783887B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613194Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:05.347{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5548C7B5381BC5D98B91DA39A52972D,SHA256=EA1F0AB949A0E3541821F83908EF6682B1266E1DE5BE67BE2C1CE588C651EA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613193Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:05.172{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C1705CE81475877C9A905AD3482A3AA,SHA256=8CA68EA1B41208B67C6351F7007B2F908E72AD378E98BEC55D5D6CCDB81CBFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613192Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:05.172{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E296D25751373F82ABA7202A299E602F,SHA256=5D674B050E74FA4212832A2B67527F84C612619388BF8A29723453747D25E029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:06.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABFCF10895A8336586889D86844D7089,SHA256=4568612761AF87011F69EB5F4344ACF75DFFF54DFA7DEF3FFCE7F5C1A444B343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:06.597{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D487FBEA3475F9F13D1D6D84B8781D2,SHA256=11BC3882C68F7786E33BAE6D23154A676BC5466B978812A385D5AAB8EECFFD4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613196Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:03.004{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50917-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613195Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:06.347{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAA8289854E5EE93760C78137AD0140,SHA256=8BC733620E14F982300D5B5210AFF68A9DFEF82E2FCF017A419B33FEB1AEB401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613197Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:07.409{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E100DC3F0B913F76BF71574AB95F40,SHA256=7102F496BEBEAC5D482E287DC4271D4E0D144984FC2063310F95626B7DCDABF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:07.908{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E33B6A74958E03EEBBED34EA89D20B2B,SHA256=9521B8F67960F90BF547F9A4485F60FE0334F3AEC7CE340DD210073DA35B0A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:07.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4912D11FF80A2347705B347A1A279FDF,SHA256=56B98B1D6CDDDC62D2091CD66A7128086FB415E1970FB7D2122E275E5A8C1F01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:02.505{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58293-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000669379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:02.505{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58293-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000669384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:04.709{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58294-false10.0.1.12-8000- 23542300x8000000000000000669383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:08.627{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5195308F79073E1F7759629CF0D73682,SHA256=F0BAA356B9714777606E03BCB473B2FA2B336C661F178901A317B1A39B5A1428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613200Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:08.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEE1C4FE7DDB1CC730E4FB5AD8414E7,SHA256=978C4BA9DAEE38A1BD6BFA94612DF02961E2803A9B787E96DE93B2D08D2D4A94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613199Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:08.159{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613198Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:08.159{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:09.834{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE4449FDA16854BCC681059CC873ECC,SHA256=921D366C608F0313267B441110A675ABFEEF18191D02D1404E0F1343B8176292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613201Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:09.472{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CEB92AA65C6BD41CA574DA962F05F6,SHA256=7BF2E817849492453D7BDCDCBFFB847F364B22F259C2BC4AC9B1EDF6B754D901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:09.240{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B2D1BA44FB5B5617F062339CE602D74,SHA256=7AA73804EFDB0EB40CE99244288486D62002ABA15858D239B72B7026243A7B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:10.850{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FF0FA01ADFD599A8E9354F0AC70545,SHA256=877654C56980A798290CA923C5422DACA549D38C86C503769347E33AD7CB27EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613204Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:10.472{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C26E1913787EC8EB9CB8EBF635050539,SHA256=012A11B56ABA513692005335AE99E064FC57E1F967E25F29817441238011664A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613203Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:10.472{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309550927E2DA54EFACDDF6B8E34ECF6,SHA256=9BCB11D7A02146F651FDDE19F48DA95D6C7CA75CD2A0DA037DFE6CAC1AF423D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613202Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:10.472{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C1705CE81475877C9A905AD3482A3AA,SHA256=8CA68EA1B41208B67C6351F7007B2F908E72AD378E98BEC55D5D6CCDB81CBFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:10.350{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF7F51EBB6A364F229C1B238597748E8,SHA256=9235F3D29A043CA2F155AD071AFBC3AA2FD88A4C061CACCF07ED21598C0D5729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:11.850{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FD087BF6E87D0C7773A536EF1FF0FE,SHA256=D3393BB77EE7B388D6BADCF31817203AE4AECA6FED822D777E9517EFB8BA284F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613233Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.769{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779E1314DDCE13FD4409BC180CA30AEB,SHA256=9BECC582AC7D27B08B3AE434EC23B35C9B7F231396B17345A1DE794FA14AFA49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613232Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:08.098{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50918-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000669389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:11.631{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D269581CAC0847CA47FD7C95378E092,SHA256=7824574F8AC483AAED3648B732F0E4087B3394DC1F893FDA37219FE17AE4E37A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613231Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613230Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613229Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613228Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613227Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613226Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613225Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613224Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613223Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613222Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613221Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613220Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613219Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613218Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613217Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613216Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613215Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613214Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613213Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613212Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613211Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613210Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613209Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613208Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613207Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613206Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613205Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:11.206{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:12.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8AFEA1A8B2A801035DE38BA44D5C2E,SHA256=1682FC55CDB7DE503820D9CD7133D921023D79E2FB1D0D7B663DA5E6A3D96DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613234Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:12.628{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E9C58339CA442889C96D04988D1766,SHA256=A3D2123812FCD2736786A6ACCB87407F5592094ACE65DFA6354C1620A460B1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:13.896{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17A99D499D1CAB1CC1DC89D5E64C90F,SHA256=09DC0AF9FA7FA30034DE2D31AC6865A569C68523D1049A01BADEA9A98AA666CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613235Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:13.675{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E4D77BF915488BDBE1DD1E56DD6BDE,SHA256=F0BF7F93A14A7CA3BCB9C77298DCA09A9845393B691DCE0A77326CC544FA2257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:13.068{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EA7995FFB69546ED17EC191778A5840,SHA256=B73141E09FEBFE585F177036FC2F682D76AC5C6C3345338C84F021DA036DB46E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.975{D419E45B-F45A-60B8-0E51-00000000C401}21804376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.959{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B835B6256FCA945F7B5F1755A4DE170E,SHA256=7888769CBC4224F56DF1F61E12EAC964A295FFCD1EE2AFC0783B6A627F13831D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613236Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:14.722{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248255AFD72AC10670C76BC4D4C3151E,SHA256=FE6191AFD4B9141242C24F0B580D7B2CDDEBD55C7971297A6BDABA061E02BEB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.740{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F45A-60B8-0E51-00000000C401}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.740{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.740{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.740{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.740{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.740{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F45A-60B8-0E51-00000000C401}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.740{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F45A-60B8-0E51-00000000C401}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.741{D419E45B-F45A-60B8-0E51-00000000C401}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.193{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CAA347BCE2CFF229D9606EDDD71EBCF,SHA256=89469322EEF62F1B9BFF8C8359A329F362CC8AAFDE8E65DCF3D18E1155CC6C78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.068{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F45A-60B8-0D51-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.068{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.068{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.068{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.068{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F45A-60B8-0D51-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.068{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.068{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F45A-60B8-0D51-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:14.054{D419E45B-F45A-60B8-0D51-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613237Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:15.737{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA54CDA85F3EDE745DF7C98CE5D9E361,SHA256=CB9424841D78432814C667B33FE19E1056AED376D69CBE6D32045F4B69CA7221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.928{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F45B-60B8-1051-00000000C401}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.928{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.928{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.928{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.928{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.928{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F45B-60B8-1051-00000000C401}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.928{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F45B-60B8-1051-00000000C401}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.928{D419E45B-F45B-60B8-1051-00000000C401}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.537{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4676E78087670A8169E3168FFB197180,SHA256=7D2FA8A83A4513C53D89D4D9F061A3AB2D23889993F610A19B865EE7740F8E5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.396{D419E45B-F45B-60B8-0F51-00000000C401}70644672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.256{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F45B-60B8-0F51-00000000C401}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.240{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.240{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.240{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.240{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.240{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F45B-60B8-0F51-00000000C401}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.240{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F45B-60B8-0F51-00000000C401}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:15.241{D419E45B-F45B-60B8-0F51-00000000C401}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000669413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:10.601{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58295-false10.0.1.12-8000- 23542300x8000000000000000613241Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:16.784{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A944C3F3F4DDB69FCF8DB02EF980674B,SHA256=DD4C02766D05200E66ED5BCBBE86F3E8D71884726B947B723462006F7C57B060,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.818{D419E45B-F45C-60B8-1151-00000000C401}17966232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.600{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F45C-60B8-1151-00000000C401}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.600{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.600{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.600{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.600{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.600{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F45C-60B8-1151-00000000C401}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.600{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F45C-60B8-1151-00000000C401}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.591{D419E45B-F45C-60B8-1151-00000000C401}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.584{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=407B5722AD84CA655DE259E5BC68E662,SHA256=A3E8BAAEDD197C4C3FE531B71FB7491DB71A547F9191152AFF6F7F4C69FF4D0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.100{D419E45B-F45B-60B8-1051-00000000C401}57685716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.006{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DFADB12B443439FAA8E4FB690613CF,SHA256=71C2D2ACE9DDBC6F458947BD65547033F2534C7ACF78E354885A113163B4590A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613240Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:13.926{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50919-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613239Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:16.331{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD0CEEBAF38744A64701346364986FD3,SHA256=29CD2EA509ADAFC8AC968A67B2BE5C3140F24E8B3F06191F762CEC23B1ACB91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613238Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:16.331{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C26E1913787EC8EB9CB8EBF635050539,SHA256=012A11B56ABA513692005335AE99E064FC57E1F967E25F29817441238011664A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613242Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:17.831{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB49B1F9143A7A7B1D7F0B36B941C820,SHA256=5CE75CB57CD9544FE1DB4A52919F6E8C3321A0977A162C78B7F68DCF1E44AB04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.850{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F45D-60B8-1351-00000000C401}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.834{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.834{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.834{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.834{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.834{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F45D-60B8-1351-00000000C401}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.834{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F45D-60B8-1351-00000000C401}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.838{D419E45B-F45D-60B8-1351-00000000C401}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.834{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1A3AE0FAAFBA79FE1794814752DAF0B,SHA256=1E9B01B813CC82F80666980CA128C843CA103CD7C81F30698FA26B6F5088BE21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.209{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F45D-60B8-1251-00000000C401}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.209{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.209{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.209{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.209{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.209{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F45D-60B8-1251-00000000C401}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.209{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F45D-60B8-1251-00000000C401}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.210{D419E45B-F45D-60B8-1251-00000000C401}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:17.021{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0E480F8FCA28343AB795E156CC4F5F,SHA256=717832192AE39697D816B455EBC3269ADA8C87E5362F04D19122635573D72F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613243Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:18.831{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBED1154A31E00E46EBCA4D70392A193,SHA256=1B02D91F5D5B391BC229F7EB953C6CF3B11924C0B5DC9E239593C8F4F134F014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:18.037{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C311F034F54EBA1AFDD0C4C2AB772BD6,SHA256=3A68874456EA9C048E42DFBA0BB3CA5734B1DFAE6BFEE2FF9405F4C72A9DF140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613244Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:19.840{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F59480D5B540979FA6B06B62983864,SHA256=59A5F487722C1BCF0D2607F414E08757BC3FB75CAC8169726CDBCCDA931E93BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:19.193{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E9304081395180A2C4884798804AE09,SHA256=61C30F8ECEC2551FD49FD7CF722F1337916D2CF4F1659A04FE4A4B0594EFEF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:19.193{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CD04E7DE718E5BF08D2C958851768F,SHA256=08973AAE6C7D7C3D2AC09384A4CD34983E004CFB52230BCA0E97F98DE0AE1DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613245Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:20.856{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24311B1F55CB7AF137C14EC9C60678FE,SHA256=31840AEC01E681A910BA469C53CE8B8486185FD050235266F663C236F4C33BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:20.327{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044E61F094B4684BAC7600079491B97C,SHA256=96786E110867C2EA12F2D3B369AD4185BB4267C744560191D01ED62E8E29FBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:20.202{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAAF117100289887AE579BDCC4663C0,SHA256=04C08FA61367A2C426B739E44AFFD25438DC39EED1BB730E04E7681ABC8ED94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613247Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:21.856{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA2554990BF5A867C0CD0E9E8D993182,SHA256=AC5D333AC8C281F17DE17D2421E600B14A9F43A0F023C5BB21BA3F4697BEAC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:21.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=307338773F12A54D36D13F25E5863CD0,SHA256=7FCDF58D8B5AFEDF383832398B9FAF0E914D6159E8C4D126D11F9A9740ED1E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:21.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDABED288758775012B38F64B8A2641,SHA256=C8F793A52D09CF55CB53862D573A422DC4BA2C40C90B689C249E54C8A28C89BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613246Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:21.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD0CEEBAF38744A64701346364986FD3,SHA256=29CD2EA509ADAFC8AC968A67B2BE5C3140F24E8B3F06191F762CEC23B1ACB91C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:16.648{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58296-false10.0.1.12-8000- 23542300x8000000000000000613249Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:22.856{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8129735F0B87789D286EF220B711F5B3,SHA256=DFA7CD5F72810FCF14602C4F415E216811B952D207ACA1C7F3D776F9056E1524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:22.515{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=088D3E5C9F4BB64A55C84336E4080435,SHA256=0B8B392842A586EA2160ED7A7206FE7AA51CE4E8AE1B1D6E70AA2560840BBBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:22.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D779F1DC2A478FB7FF5D144F9F5044AC,SHA256=2C7C49BBBE76AD3B3013558340B5A1E2235A332C9153BA6A7A1F84D012FB0D3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613248Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:19.092{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50920-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613250Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:23.887{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A62897764FFFE4162A198A6A29C4A48,SHA256=3A1773F9CEEC940B628BB90DA9B1A0471482B76F8CBC191C101B8486C82FC383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:23.812{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A28A72062E995D5291F486D8E3796236,SHA256=96C0A0F14E1ECEC79053A5A97A591BC90D186ED30C038F10FFDD3691C98EF1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:23.280{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5234A8FF72FC6DEDC6665396E6522C,SHA256=BC89E707D2604ABA0A2900D36CB5E43078458B50255680EA7F4D6E8B04C2B093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613251Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:24.918{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153B04A3B7C2EFC34A17156FC21A92AC,SHA256=9284D86E1C742215E36DFEED4DD3CC6E4833E9CC2F196C1F6E8BC62629CAB599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:24.858{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85B22C300EA7193EBAC46E7A65887D3,SHA256=61A0F7EAACCA7CA0C44CAE15A49DBC62F57B1CB430DF69DEF8D5C17E825B2F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:24.312{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66186E195AACE5D8B21E9CD630DE8F57,SHA256=D7A1A44A83B69F03026853FBA464F47A62E06B1FE3EBCCF6D7A2ECB2F0FACFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613252Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:25.918{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220477C2B61C08AB8010FE2CE5B10266,SHA256=FE585F620E4C16E3008CA311B727E9431C61ABB8E52159F6F1E8DB1B1CB75133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:25.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA07396314AD3CD1B8B8939C08DAC5B,SHA256=0C22EEF3900056824FB4B44C58F7E3B76B3A6A1A4FE818405A9E3D0E0A42E2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613253Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:26.918{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F884603E9CC213597E36540B2D11B7,SHA256=C13EE91B1B8EA503ACCB8291E2F4645BFED959CBFE812747B80CCC19D0346507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:26.374{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B73AA6F62C4D0F87741CEE7D67BF817,SHA256=8BED6D23C963B6FABF7156480AC498ED88F9BA53242650CC9F7C88EFE0E9D1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:26.296{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=094AD498F3630E2D078C75CBFD07DDCD,SHA256=1DA177A77BA5BE75959B3A5FB9C552EFEB38455763EFBBFC2E28B20E900211BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:22.532{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58297-false10.0.1.12-8000- 23542300x8000000000000000613257Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:27.965{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9D81C372482A5BE444320472CFBAAF,SHA256=5A18FB308ABC0AE386C3D3EBF42D9489CCD2D541D9A76A660B82D910F266AE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:27.593{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CB00C73718195BC082D591B151FB776,SHA256=9BDBA13BB0D09B69D0E295FFE469C34FE82DFE0BAC4CC12671AFA1AD9083870C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:27.390{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85199372B2C4137A30E407767F595576,SHA256=5A501C687837A1AA2C613384BCA04721282A8EAFF9917D9E7C2125DE3447E03F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613256Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:24.904{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50921-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613255Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:27.246{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E15BD3C8D6BB2EA38C8E3ECABA9EF3A,SHA256=CC2343C7937801982F9E4CD9B58E6AD06A04873AD0CF255DE521301458443DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613254Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:27.246{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA8F3FC900C8AF53334569DE00E84016,SHA256=AF9A7813AD259B7A73695399CD05554221785137E1C6E3513648E826296626B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613258Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:28.981{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72213EBFCEA06F6C00D4916C59989F3D,SHA256=2E1A4FEFE4175A97D5E99E96238D7643891C2E139675F848EA865DC15BD90A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:28.733{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA5D86A0CE9083990A1D6158F6184659,SHA256=AF2D78A6B000C66F0D21BAC75B07A953F9E939A9D4F6E8941E512E365F41A047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:28.405{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38268738B0BB7E61D9EBC23C934487EA,SHA256=7853269E977CF92E255EC44B08F40F2CEC6AD46557AE702D8C8FFB1CF0E1B6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:29.874{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3087D582F1792125448B89A16F88DF27,SHA256=E05A08EA2EE226E04041DFFDA5608D110D9CE974F703EF29E7FE88C62818FD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:29.483{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7420DB98D32251729040FCB607E99741,SHA256=A476F431CD33AAF7002D5CE1E23F32192C169EE3994F58F8CE5FB5B60FA797B2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000613278Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.168{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000613277Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.153{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613276Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.153{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613275Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.153{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613274Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.153{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613273Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.137{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-F469-60B8-4C5B-00000000C501}5596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613272Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.137{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F469-60B8-4C5B-00000000C501}5596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613271Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.137{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613270Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.137{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613269Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.137{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613268Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.137{97C2ED32-F469-60B8-4C5B-00000000C501}55964548C:\Windows\system32\conhost.exe{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613267Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.122{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-F469-60B8-4C5B-00000000C501}5596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613266Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.122{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613265Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.122{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613264Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.122{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613263Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.122{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613262Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.122{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613261Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.122{97C2ED32-9D3E-60B6-7A08-00000000C501}33644692C:\Windows\system32\ServerManager.exe{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000613260Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.121{97C2ED32-F469-60B8-4B5B-00000000C501}5740C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000613259Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.075{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=2B2BEC052EA2A4B04E155E342EEA2FA2,SHA256=7CDB9D07E24DAB5F8FAD399A4FECB93C04815F98AE91DB289DA7843E79E0394D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:30.499{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2484FD911A5911428140FD849641921,SHA256=B72B2F3D65545E7D38E56FBB1A34DC233532B478D4E9235045B45D65FC42E59B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:28.020{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50922-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000613293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:28.020{97C2ED32-F469-60B8-4B5B-00000000C501}5740<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50922-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 10341000x8000000000000000613292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000613285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E15BD3C8D6BB2EA38C8E3ECABA9EF3A,SHA256=CC2343C7937801982F9E4CD9B58E6AD06A04873AD0CF255DE521301458443DC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000613282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.106{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E486FCE0C2722C7EA56CC2AD2D73B15B,SHA256=C8E8CD8ADA6A0D6282C065E2C012D6AA6230FE8F44680CB56353D2C56F4EE65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.106{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CA021E13A748D97D2CD2BDD0AFE46D35,SHA256=AE7F842E02CD796DC48527EE971455A54E4AAB1DA936E45E4AEF95A17BC57285,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:30.106{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-1200-00000000C501}1016C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000613279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.996{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D3E6E13E6FE8ACCD77F5163C4EEB6D,SHA256=2DDD5DE4D69E1EA19E7441D2C8B62310B01E1D0D2E6A7ACFCB647D0928B2BADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:31.515{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF383B590B9A8FD5F5B0A05745AEA2CC,SHA256=CA68D9605DDB03130636279401C5E3E215A6935B5C3BD88917E008F7BB9508CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:31.012{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB6783E1F350066358B0038C35901C3,SHA256=677E91581CAE49E79127E9889F783D4FB35770B76EBB07444790D1273B81CE1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:27.610{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58298-false10.0.1.12-8000- 23542300x8000000000000000669487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:31.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70004F50BDC51D60CBF6BC232C40C5D5,SHA256=89FB48D3349C3FE3FF14DF4433E34F4A7072AF2AA727B79AC3E8B0D40AB3CC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:32.530{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78AC2BBFFF4B687798530BAA53C2E2FE,SHA256=4AA87223AA9FECD7DB49348D26C48CD25742D280F2AF3438D76B33E05C57CFFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:29.920{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50923-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:32.121{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5B2BD9BBB79BF62426A09189D6C6488,SHA256=6BDB88957AC5ABBB8C6227722F326E7857E72CEE35465A5558F805C8005D4DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:32.012{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5838DC4E3689357A3CDF9C27C566F5C0,SHA256=5CF7564B5E8C9BDE9F670D9A3FF6D0475515A52FD7D6607DC813379F99F51BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:32.280{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=70869040E8F74F6A018BEED9E1258DC8,SHA256=BBEC3544E32F377C57702A10E70075707186ADC0022E01456679F729D4E705AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:32.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E1ED866DDE30EE45088EC558E3F84A8,SHA256=CF760912A47CD3F343833434D27A93FBBAB6FD33FAC9694E6C490903CACB45D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:33.780{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9F19A84E3A5B55ED567A0F070602FBD,SHA256=5C8847DA62F73E35904FCB7133BEDE83CD6042529E961A66CE89A1E6FEBBC910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:33.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E5F64B7EA8C9398FB060CD1031EFDA,SHA256=6067B0E1FAB904F14BE0FE046A83446FB0B7A0D02E3F1820A2894DD7FCB0503A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:33.043{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31EB1DA2A7BF155B7BC6935C201BD727,SHA256=B510B62D71CEB5659A805EE94A2EA7174AF85904AAD5681DE9D203CB243552DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:34.890{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81594F2C4B93E257AF77835D8BD2EBAF,SHA256=F581B3B8A5EA054C7601197BA02F7B8940E6C3B2BD9FC908369CBD66101911CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:34.561{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D129850F01E2E44DA1D57D6DCC41ADD,SHA256=B9B7FCFB72F0F4F5A442788092D9F5730D85BD284ADFAC112C8F1CB95A635B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:34.043{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2026E5C4148CC49D5FC176990698B694,SHA256=8028B2CDC9640F3CA78AEC808791F0461ED5A1D02D0D17A56CD2C4CD3DF95FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:35.562{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2408E6A27ECD61173092827FA95D0D,SHA256=D7AD8715DAFEEE8AA9CCBC507B035685EB6B1DE042955F24DE2A2002B406E166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:35.043{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A1283BFF759EF46F807A9CB1CC5E92,SHA256=D4E484C291124838FC83CE90EB960DCFF8D9D4522496C11CB2B04762F1DD3F0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:32.688{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58299-false10.0.1.12-8000- 23542300x8000000000000000669499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:36.593{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DA0A1EB70A9F20D8184A3B0A2B9F69,SHA256=D8119F0FEEDCB4651A3ED78D27986EED1E78912D75F4DC416A89CE0F2A657B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:36.059{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B6210DBD41AEF796BE01865090D769,SHA256=0436AA2D78C5E7D8929AAF98AA8DF99C9CF645D5495FA10D6963B81759506E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:36.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5098648511F7B1B2A8B2C794C2C1F503,SHA256=B4B19CD61CD5E4480B9214AD00DFEBDA4510887F5A35490D450953BBA6F21EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:37.608{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F268DDA1BF60123DAC161ECC3D5CE398,SHA256=3AAD0ED06BA929A7E8D658CABBC815B0B72E876807D315A5039DAD7037CACC38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:37.512{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9489C2A46A2203D704CEA8DCCD570C76,SHA256=28C5A229950A2B710A7B56083A09AEEFF2052642B4443680D6F24BA31D066A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:37.512{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=370B325DCDD1A9D57313735B352BADAB,SHA256=F41B136B31051E54060CA58670C521E20865DFF2589FCBD5E1F1004FB9E78BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:37.075{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F6A1D01DAFE9B3F19C476CF40CE80D,SHA256=710260671D6D4DE7E7E022A77EDA381458BC0686C051F6579A30303911CCC236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:37.499{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BAE373876AA9A57E56CC953CB8474F6,SHA256=9680C27B2B83FC9AD9D86FD6FBC505D7F37EFE33A596CC408BBD8BC5B5194457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:38.780{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9628BF82B2494940E20A66319A2291F,SHA256=18560274D4AF9EB99137BA5187151F080D497CDFBF9AD199BD981DEE4F4EF4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:38.640{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346C0CBAEC28FD1CCA1AE26FA31BCE79,SHA256=F9B0F27D4EA7F4DC82301554DF70397B787C2E26D1EBFF3059599A880B4F1358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:38.090{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDCE134B54AC53B5093A36A85F4D323,SHA256=C77DB46EFFE69C1678C225349A4F8E93827C355FE2928177A7DFE805A075B378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:39.909{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB56AC4F4A6D0AE2AA7222904846ED42,SHA256=5B2E34A993C7922B24ABFCC50C9DF5096E593073EFD0A80E6862260E002310A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:39.655{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793A87F92525A55494052ACAA3C84F6F,SHA256=30894919B3C50197A94BA253C29AC4DA0F97DA6EEF2FF46FC660651B0F63AFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:39.106{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F2E8AB560B4A4379C8224C2B43DC27,SHA256=9679FFAD424D90A2D35377C78977C700647CFF46664CEFCA305DA71BB29FBC97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:35.108{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50924-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000669507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:40.878{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0A8C89CB87D2EA6B7EF99D5E4E29CA,SHA256=4974930E45D37057B5342FDB2F883FBB00AB855B522CC13A4EC13A34D2829688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:40.110{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E72AA80E5D058488F5266F1AA202E00,SHA256=15434BCB3766BE8307CEFC642831ED4A9B15CF689037D7611E402F57905E7A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:41.940{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F369200B25BF91E0B0B1AAC0584178EB,SHA256=21803EF27F4A20DF8857BB94AC465B973687CDCC52D2EB1AC4C646310FD92B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:41.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6BD5F56088B96F33A5C760377326B39,SHA256=FE2227F1E089F153A519731CBE55B1C7920ED08163D77779D2CB8CB5FBD7023D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:41.126{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20073EB61E9F3FB8AAC9CED5B2DE87A,SHA256=986FBB0B4828686B0B556012B8CFAB062D9CD409DDDB998859E247AF7BD0F938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:42.956{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4012ED0B58079257452B1CA9AF0D6D,SHA256=5925924095C7753D20E5E74A48D5254D2C6B7717899320920E9552C66CAFBDCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:38.676{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58300-false10.0.1.12-8000- 23542300x8000000000000000669510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:42.206{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8979F95E3A116F87B198466EAAF7FFFF,SHA256=AEA65A2EAC7589260D7DFE321B68C5A09F0432AA4BBB057F0F4F3E540E20A9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:42.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942A0841115CEBDBC076B90F1E37DA61,SHA256=C59412AA7F006A70BB40004FBE0C6BF81A02A45F5A84F285D49CE9D8A1C7A55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:43.987{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77880562C3D94F4AD5719777A1EFFD46,SHA256=3FB02964914D4AD4C57A3D17B02821DAB78E738269BA2056268B312F5A427231,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:40.940{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50925-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:43.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C033158EDA586515DF6033ACDD751E34,SHA256=56025885C6AC7C47F2C79102EA6E81A9719C4A344E72DDFDF2F81E4B995C2ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:43.347{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30771E613B5BE5950D385A4E29E15F1F,SHA256=E1C0A6AC389B56DEFE09A723A5744181A144426CAD71F07FBA69061EF16B1284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:43.094{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1521406B336C4920CD7BD258D1BAA69F,SHA256=2AFF5840BA38ACB272F39B2EDA471D8DEF8A711D14D765540D31F4D73335AC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:43.094{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9489C2A46A2203D704CEA8DCCD570C76,SHA256=28C5A229950A2B710A7B56083A09AEEFF2052642B4443680D6F24BA31D066A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:44.987{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83504071C849596FA4D807A4C50C6B3B,SHA256=FB1B2B6DCC1C7967FAC6E3EDDB0680A2E321BF7A199F9F05300B3E3D153A4FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:44.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B3EDD326DD8FF1060C16F5E82DC76F,SHA256=2A31B9F3D850FF0A9D3D463FFC61DB9C5BDFCF8B6FC41279C5BCE5600CFC8727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:44.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BBE5EAF01ADDB672325AAEDEE98420E,SHA256=33861A01266682F53A54E706FD488789BED21EBBCE9FB39BC829D056FB095F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:45.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347BC80C357D23417C51B3F43FEE8D0A,SHA256=6282174B59C261F8575AB16771F1543948D8B9459ADDB3C6E5C3BF3DA7724FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:45.753{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDF64A023C9C475EF5634DA6F9FB6E26,SHA256=04845B10E136C3CD540650114DC6BCD6FF5894AC02BCD63F35915A404AB47D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:46.003{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E8EF4B0E7D357AE2B32116B113DE0C,SHA256=B634F59D7E0C6A93AA8020D7D823819EA26F7D02B65FBC01772EC62BCE002DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:46.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F44D2D63F9AA916C4A1467F38B3AA9B,SHA256=A7BFE13F88C47A61A55BC7DA2EC588CF88A015075A43070524B8773860EEC6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:47.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5360DB6E5845CCCC5C231D7F2E8E73B,SHA256=A66E4B7580F70672992609CFF130FEFB903EF78A92F6FD526AEDBEE4023993A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:47.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8B7FBA3D5D29E89660E1CC2A771ACB,SHA256=3009BD96666AB70D579D60AD774AEFF7E24F0EB68D7C8526B45A0938CBCA713E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:47.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273C7201A18FDFE87E291244BEA32025,SHA256=B5A96CCE28124118F938D8FE9C773329B6525D3EFA76E2F16AAB4BE568D55615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:48.378{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B675FA96EA4897D61F3B40EE8730350,SHA256=D846EF708B163FCD3F3BE7FABCAF19039775896D17D4277C8362FCC095852AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:48.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4093FE978F959B0FBF3E97EC3C1583,SHA256=F31D950146498CD89768808F947EE3E279B155447398E43B6FDED64E527754DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.719{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F47C-60B8-4D5B-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.719{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.719{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.719{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.719{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.719{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F47C-60B8-4D5B-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.719{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F47C-60B8-4D5B-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.720{97C2ED32-F47C-60B8-4D5B-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8DE7AACD704C7B2BE31FFD5BA73A15,SHA256=3B19407B77A8599F72B62E0FEFD1F5DCEC6C0FB9AED75C07F880D41D2D8CCB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FCC5D1B46B83CC49291EF53B2C66091,SHA256=498A0DA0227A3080D87BD4DACBD4700FD73A388198C8807BA1E5A6089B0457F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:48.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1521406B336C4920CD7BD258D1BAA69F,SHA256=2AFF5840BA38ACB272F39B2EDA471D8DEF8A711D14D765540D31F4D73335AC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:49.519{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04C61F128777FEC702F83B55A0816569,SHA256=E7ABB829E8118A937EBDDBB0F57AC1B0E5440DA49095804529B12C3DD2648BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:49.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C165DF9A03AABDAD5019E25C20B1BCC3,SHA256=95D725529C73FCF20D778EE8EA0E477E13E882AB7E358C8EAA5222871367566E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.985{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.985{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.985{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.985{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.985{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F47D-60B8-4F5B-00000000C501}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.985{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F47D-60B8-4F5B-00000000C501}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.986{97C2ED32-F47D-60B8-4F5B-00000000C501}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.876{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FCC5D1B46B83CC49291EF53B2C66091,SHA256=498A0DA0227A3080D87BD4DACBD4700FD73A388198C8807BA1E5A6089B0457F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.516{97C2ED32-F47D-60B8-4E5B-00000000C501}49364608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.391{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F47D-60B8-4E5B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.391{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.391{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.391{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.391{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.391{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F47D-60B8-4E5B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.391{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F47D-60B8-4E5B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.392{97C2ED32-F47D-60B8-4E5B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000613332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:45.971{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50926-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BC99ACC3E33C9BB2C3B7970684C1B9,SHA256=09474C46EDA20104DE6CD48893C512503E5CD12D35AE00E23355EF64E57B60C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:44.489{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58301-false10.0.1.12-8000- 23542300x8000000000000000669527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:50.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BA78CFDB7CDC9D3900064A8C5B7A1D5,SHA256=1B091253935DEEFB0B7962270545C75C5CDDA79FA715BEA12A455C1AF87D90D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:50.378{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D646CBE18557E54FB3571EFCE3A7BF9,SHA256=9DA63BA2A05C4246DA28AB041196C27D263345D757EB3DAD0207B13288BCCBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FAEAAD050854E7A8A037B61C84EB8EF,SHA256=AD788E12CFEE6B1E5FB2BE72D5A92DDF721706FFB678A750C15A8B5A5589B43E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.657{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F47E-60B8-505B-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.657{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.657{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.657{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.657{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.657{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F47E-60B8-505B-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.657{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F47E-60B8-505B-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.658{97C2ED32-F47E-60B8-505B-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:50.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267401C1BAAB9CC7EE093C1BA17E2380,SHA256=5CCF555751DB48F67285CF195DA979C84DFF4677999B69C1AC5E3B6C10FFFF18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:49.985{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F47D-60B8-4F5B-00000000C501}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:51.925{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=619A4C69C126EEDFBADD1941A7E7DE4F,SHA256=B62BD71D6DD1D4217749E3221ABD6845E8014741BA4DCCE42FC48F6FB06E72A2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000669531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:25:51.769{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000669530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:25:51.753{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Config SourceDWORD (0x00000001) 13241300x8000000000000000669529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:25:51.753{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_368F3813-04AC-4615-AECE-5D3085605520.XML 23542300x8000000000000000669528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:51.503{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B5C8E8F18C5766100C7B03A98C4BE1,SHA256=07BC1E79C91C87A7B0850297A4787A881A71DAAC52EF872D22CF225885BED20F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.469{97C2ED32-F47F-60B8-515B-00000000C501}53805788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.329{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F47F-60B8-515B-00000000C501}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.329{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.329{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.329{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.329{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.329{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F47F-60B8-515B-00000000C501}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.329{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F47F-60B8-515B-00000000C501}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.329{97C2ED32-F47F-60B8-515B-00000000C501}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.235{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2550E222448156FB557425E320F62F7,SHA256=591386975D07A10F4A3A6005F76ACF5A8944C3802D0F1D151C2BDEB13E99BA7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.766{97C2ED32-F480-60B8-535B-00000000C501}43724836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.626{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F480-60B8-535B-00000000C501}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.626{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.626{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.626{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.626{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.626{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F480-60B8-535B-00000000C501}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.626{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F480-60B8-535B-00000000C501}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.627{97C2ED32-F480-60B8-535B-00000000C501}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.360{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A185059D985F7E9B135C12E09333A64E,SHA256=9C6A8F0CAA8C4C9A2BDE0F3E6AD2674B29F865EF10DCC478141A69300FDF4470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.251{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874D450C1BEA0A100B86D4405E81C30A,SHA256=906C846D4A1D3680E69D7AC0CD79E89BB133305BF0F908824D51752407DB457A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:52.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42268ACD3B0110081134932204E52318,SHA256=70DF953BCF773F20E7E0B3D83D91FB265DB0BF2FA6F71027B6E9DB5061A445C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.126{97C2ED32-F480-60B8-525B-00000000C501}23643848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.001{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F480-60B8-525B-00000000C501}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.001{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.001{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.001{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.001{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.001{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F480-60B8-525B-00000000C501}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.001{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F480-60B8-525B-00000000C501}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:52.001{97C2ED32-F480-60B8-525B-00000000C501}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:53.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8803DCE8D055EB6B9DAAA0DD0A6DC51F,SHA256=DFAC7EFFC5B9673443445083F4A792389BCF8CCF58B83408BE6C6EB7516F89BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:53.673{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F4F47EBCFA37CF92143085A7238E6AF,SHA256=D80043C49AA7D83C0161FFB9D048D11227B18098A4BF45612CDCDC1E0DFC3A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:53.251{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85EF68E591E17BC5BF205922BB3C725,SHA256=59E85177E9F36CC4F35069C8A1CA43ED3EE35B8769E60D4759D57CC936DE0FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:49.232{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58304-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000669539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:49.232{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58304-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000669538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:53.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4135531DED37DE5A2D03E3BA2B609960,SHA256=3B457D30B1F00B6D391EB3B39880F187DC5C9D2E5E41F084439124D6B15EB54A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:49.224{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58303-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000669536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:49.224{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58303-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000669535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:49.209{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58302-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000669534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:49.208{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58302-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000669543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:54.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D86E65464A162A1A19E7DED7B768B4,SHA256=40736010130CA5157BD7B02AB51C0AFD635563673EDF1D1D48FB1CA8DD30AB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:54.251{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2FD8228BC5AD9C24325714E067EF66,SHA256=178AD59D0E2DD22132EBD85C38AA77B81E74577571C18F4F3324AF34EB801D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:54.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=885122A7AE7644EB17B18591BD369738,SHA256=75071CF0517D1668445B9486E328B73EE7DE7F2B9B74BE51160C78A30ADC970A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:51.877{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50927-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000669546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:55.815{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39393F8EB5116129EEDB9EF99CBCE7BE,SHA256=44CA477E907ADEAC0EFC74FDCDC58F7F2B6EBB1CEB05847086F63A10BBEAF7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:55.266{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A1C628D0A94312E983F711DBF0CDAC,SHA256=B794CC72D8014BFF9E8FF33B9E3598C66DED87258A1CF3398D5386C2C10E3782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:55.487{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADBE10D60B74AFCB9ABABDCEB5590E76,SHA256=9D6C633B1C02B9FEB428F56E00E066E2AF42532927DC56685D2D19741E027936,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:50.520{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58305-false10.0.1.12-8000- 23542300x8000000000000000669548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:56.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F4C4F60A2E7AB4B1ABC7A543A8BAB93,SHA256=8EDF5C26CB123F0F68A6EC73CDB5B4F45434D6AC2504B54A818EC3A98898BA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:56.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2574F2CB62C69EBC882719644E9A9794,SHA256=7150BCB6B6CC81DA3CA899ED2B4B3E99665AB04782551E795751CFB2B10ED566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:56.298{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF94DEF1A919AE9E3AAFFEC2EC46A42,SHA256=28BFAEB7FF46583BD28756CBEAAB7834DEF7AB290B8F7DAB3B4B5FF63B8F49AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:57.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3650840A861E208B84528F019BA90EBA,SHA256=FA0D5CF970B62D664B9045A17A527EB6BD23D884196E7AE531438B6CFB5A6B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:57.313{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5EB37D4DB9F6134289EA2120F44FC0,SHA256=3FB083E10747FB9B270D0B61596C1DD12C3D149AE257DB207FE1382BAF25C711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:58.862{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2A597E8EAD773D5A90CC8EFA454901,SHA256=18AB505D60460D4F2ADD7FF2E5C24380F53C7D6990A226780699F1F7A62D9692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:58.329{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B560B4B406256C10EA6BB79742DD4988,SHA256=FA02D337B5B4B0E18583ACE9791D6466A213B2D8AB6F61B81E695DB9DA3F4812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:58.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38706551F3306915FAED403DCD28D9E1,SHA256=87B65B742F5CCE2BE96600BDFAB3D0607FF2B96CB608A763E282FC2F1647F24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:59.867{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA63FAEF497C5B79FBE53CD35D8B176,SHA256=656F3E95EDC02DB8D96C7A935126F5AEEDDBA9BFAE64B367A54DAFF0065B727B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:57.049{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50928-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:59.360{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:59.360{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957F83A498F10004A006CD9E57005719,SHA256=91FE298FD4F14CD778C35B98293694E953E2311E140CD90C2975D219FDD1F78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:59.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=856B26087B6CC19B22E6B933A609B1F1,SHA256=C25C390A983291E96757C8934325E57C6F9114E5FD321C2EC11AADF25912E5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:59.235{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAB0511F029989D35D18833DEB5953C,SHA256=081FF90CB1D1A858C1BAAC873869894B899D86F28B358CC1CA5C216ECAD2C493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:59.235{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03DE3844A5BCC012EA020FF837D4E4EB,SHA256=5E920A1E86E200C37CE3E4D36692D584C9BD7B7005D0C9E360630736B20E2CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:00.883{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9EC6B3C77EF7F43D578BFF65567A98,SHA256=86B7E3318002DBC79C1101C00A40AF08A690B5702FBE672B784BE1E1BBF94268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:00.490{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAB0511F029989D35D18833DEB5953C,SHA256=081FF90CB1D1A858C1BAAC873869894B899D86F28B358CC1CA5C216ECAD2C493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:00.365{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E015408B901B43A2F1A05EC4AE5E00C6,SHA256=9FCBA549CC281D245454852F7ADC8F9C19B63D5773319B9D440184226FC31C9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:55.629{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58306-false10.0.1.12-8000- 23542300x8000000000000000669554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:00.258{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FFACF237489D54C3E03D0593375D4A,SHA256=FB048F3ED16FC8FC1AB947F62564F05BD3FC61ED2071831383C4DA82BEB0F065,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613407Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:25:58.190{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50929-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000613406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:01.380{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF821B8B527299831564CAC5AE9DF8C,SHA256=CF48E7E7A719B02597F8F6D80227A4DB13A715AD77B480F9DF85926EB8D699A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:01.430{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96BB3BD9A26ADCE35BE75A89C8189D16,SHA256=BB9DEB2C10954621FDD107424F6F607124D40A7A58B3F8A8B87E4DB31BB7CEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613409Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:02.443{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=139CC4F33061818E7C89786B3A4B8742,SHA256=2D09EBE063A1B1FD046111A14CBADC0DEA843B1E6EAC9DADB6C0C119BB51577D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613408Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:02.427{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203F9FE1E86F23FAF9E506DD13714E94,SHA256=42AA44B1B4D3785501DD71476A1361EC171B4E992BCB1417F10DAC1BB36D4E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:02.648{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F14EA33EAFE83BA4133BB86C00995AEB,SHA256=2FDAC6DCB5BBA7381EDE43E8DB14603407F624276467139D3391AB6FF1DC80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:02.336{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:02.055{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBEE4A6A6E9F8FB520612C44903AF30,SHA256=470D70DA25D228274C26A03F05F7B37C6C5756A70C4D579A72C21D13D96FC17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613410Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:03.443{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0D51F39C52A841EA54BA7E43998A70,SHA256=3F1F0FE6609E4A3F21B476B575367032B9FCBAC0490B13A5A0C2373604A5C1A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:25:59.775{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58307-false10.0.1.12-8089- 23542300x8000000000000000669562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:03.898{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABFEA9EDE31135C643056813F5710617,SHA256=281DE331FA6C8F798D9887D9112D6BD55A8212E8E6B15D7E3E11436A54FB31F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:03.070{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846C2551B1195B49D58989002E720845,SHA256=C406E0404EC372848FCA0E99256B06C9020AF405B9E7555C0C95C81EF474611E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613411Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:04.459{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6C43BA46EC30AC7F92A505C6A73F04,SHA256=5E17EEAE3807AEF39E50FCC722C89F7C1ED589BC0872029BCD239F82AE09DC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:04.086{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67C4E9A33B02D9ED259FBBA16C32401,SHA256=837163EC2AAA318E1D784F80D6E6B7A16CF4FE30C2FE1627DED142CC1788E69F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613414Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:02.898{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50930-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613413Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:05.476{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162F7323A36485393EB88F5D3E2F82E6,SHA256=2D79FBA6ED9D5A64B0ADA4FE6725192694292C2917042C5FA6FE138DA2B7935B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:05.226{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85F4196F92F338FEA77FE888DC76C543,SHA256=9FB007ECF68B59A21FCE350A7BFC322EAB86438C9350E7ACE24AC2424EC917AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:05.101{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F7A3EBCC3659390238CBD2F49994D1,SHA256=2D5BB3F79E65B96A2C68677149B3E72E699E07A8BEBB3CE60EF7CAE4E1051862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613412Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:05.100{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE9E973759C758A76B6AF3A64D231E3A,SHA256=2354980F666246DD06D51ABC42D16593F9EA8BE2174898E5F0EFF0B1E246F7B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613415Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:06.479{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D356BDB77A094EAD8F02266CEBE04145,SHA256=32A8A1700AFE2CED63C342FDA26D21F7A0CA0EF7CF939583C41006D1AC0BDCBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:02.525{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58309-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000669570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:02.525{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58309-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000669569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:01.650{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58308-false10.0.1.12-8000- 23542300x8000000000000000669568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:06.414{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=835C2E42408E20A169A2A6096EBF09AB,SHA256=31E89E8F8CF1EED6A52EC01566B7511EDD72FBEA5CDC360177A2B09B6832EAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:06.133{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FFEB126A27A79A35375822A1FB4D39,SHA256=4C74255571355B3115F407255AA52AA24AE131630B220586363118C9DE13DF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613416Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:07.494{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7056083DD074C737750B3A11023901,SHA256=DB114240EFFD26330CB5C5FAD8BFD0401DE116B5E6C1DB6E89DA1183C73C11AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:07.555{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A95BC99C528A4505893745EA791D709,SHA256=18527E6A5876C44C7CA4EC535E45FEDEC5E58AF588B39A9E08035D757FC11F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:07.133{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B056A59993A2ACE9043D20261DE635AD,SHA256=BCFF1DC7F5C5B12324EDD41621C22C9F8DD07AEAEC2A753FBC8C873FBBE89D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613417Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:08.525{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F7A91B329FB358CAA4788052AC9C7D,SHA256=1FA8A348AF07D3FC63C3252232DB6FCDB916DC70D535034907D878A7FB7EF6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:08.991{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CA6B6488851781CBA8FBB08E20DFF62,SHA256=01E92332649B4D9D998B01898D7EEACBD9C55231EBC8F2A962AEC40844578EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:08.134{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9496359A17D75C8B3D6E88739C774CC3,SHA256=7D6C788E97D090F42EFD8786F8EDF6F6C51FC10F03E8AB03A51AE924EDCD2FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613418Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:09.541{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E893F410A0D7E759872528CC13FC9A17,SHA256=EB862BFF43ABBC83A6BEF3D4A9E6DFA796529789A1952CE34F68DC37309ABA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:09.147{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46FED62234647F8CD582F5B6D3AEF17,SHA256=4289406EF1546F1791FD0A37603A7881E2A81A63AD5C2E4876169ECC8AD5644B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613422Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:10.557{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3C55522D46A522E3B8CD1BC72B53D8,SHA256=AF036F10927F026D71F9AE9068C858C2AB5AE075E4237FDDD4614C377F98ECE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:10.150{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57424205B8768D4538E3B24F90EFF40,SHA256=52712238A995E97A7CB7B531D94F173AC56E0899739C24CD5FA94E84064E2D01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613421Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:08.043{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50931-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613420Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:10.244{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=894621E131521D302B427B2AE20C2B00,SHA256=6B5E4AC5CA29F72180788F166936B2FBB7FA613B510F1815E31138646EE06198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613419Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:10.244{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96882A983495C236D29C910D7E279D14,SHA256=478BAC132FC7628E1BF9B2A27506D6AA71A8F2C718EB26FD4822AEE7CD88B26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:10.041{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B22D0FC5D6A181D8815C2C0FF4159DD5,SHA256=7BD2D21B73193C1EC24121104F466FFD6949024D446888323FC68B90E0D167E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613423Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:11.588{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0FD00CD3EEB88C71CC1F715741F421,SHA256=9F18881BD2331A8F3183F042A8DCDE527C801BEC457FBA3FBDFB76436C9AD8EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:07.636{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58310-false10.0.1.12-8000- 23542300x8000000000000000669580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:11.229{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECA67DC1E1D0EECDC2B19EA1391CB223,SHA256=FC2579B294B94EA09FFFB3E4E273053683468A21F6A710EF0D0A285EC4498147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:11.166{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5CF69BED429343CFF611FA56EF888C,SHA256=5ABABBB579184581637B9329E40FDC0246B56EF9E04BFA02169E80D1F7271E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613424Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:12.604{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0134A536E64CEA1EFBD67097A3163F7F,SHA256=AF059E3EC8DAC2BBEC7FCE1EEF1C2A3CAC6B80A4D4EF67FFFDFA58293188F481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:12.463{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5A6A0010AA5421B0251A9DF2C435BCC,SHA256=1F1E08B203006206E30CDAAF23EB85B93AADD8A94F4087567E10912DC91C4B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:12.182{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DEF963D69C3CA4E78EE5681539D7D1,SHA256=9EABD98068BFE5A8B24A06988FF9279D78D5682078F775F489FB47892273EFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613425Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:13.603{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F86ED6A86AF4F02BCF8F1936097232,SHA256=A7096E3409B3E7F7E4EC49FA3CF8521F73F9C4E235F9B3CD869DFFA284CF2F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:13.619{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5055824C71F6E66C6554D98B1253A10,SHA256=46C547702381EC45544CA1751EE1C61AA337EC5F415DFD044CED0D078418A408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:13.197{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EBA91B4BBEFEB859F717CD816C2889,SHA256=C86CF7DBA0CF9E69100A490258F05EE35E588E1C282BD4CA5DA4CF8CB0258E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613426Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:14.604{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFE3D95865D917FDCEFD6AC46FCD0D9,SHA256=DEDE748B4E4DB75ACCFC11C89050F69C30A9D5902ED443DDAFB9F1A7FE9726C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.947{D419E45B-F496-60B8-1551-00000000C401}48686180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.870{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726B1E20F760BBBD1C0704347B69C534,SHA256=5110E42D42EFB4A0349CE6BD7D1EDF90FF73A11D521C9A803F8E39493D3A03BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.760{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F496-60B8-1551-00000000C401}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.744{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.744{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.744{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.744{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.744{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F496-60B8-1551-00000000C401}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.744{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F496-60B8-1551-00000000C401}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.745{D419E45B-F496-60B8-1551-00000000C401}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000669595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.260{D419E45B-F496-60B8-1451-00000000C401}50566628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.213{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1442E6873EF9556BFDB789CFE297D950,SHA256=BD67C5B50E4D6CF40149555BEB19919DF8E73A0A9FD17B6845930F1B56282B1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.072{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F496-60B8-1451-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.072{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F496-60B8-1451-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.072{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F496-60B8-1451-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:14.058{D419E45B-F496-60B8-1451-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613427Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:15.619{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8845B86A258603A136A38D65F6E0251A,SHA256=9E62C70156F14A046172F3CD0E24D616C4B3E8E798902198783320A4678AD2C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.416{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F497-60B8-1651-00000000C401}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.416{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.416{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.416{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.416{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.416{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F497-60B8-1651-00000000C401}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.416{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F497-60B8-1651-00000000C401}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.417{D419E45B-F497-60B8-1651-00000000C401}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:15.291{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF075C836058481B79D239D01E85DBC,SHA256=BF916B156F54A8FDFC9394A5B8873DA7FD11635A4596BBE37D373462A6E74754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613431Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:16.635{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E1D505DFF7A6285B6F3B06DDAEFEA3,SHA256=ABBE59E35B943872A02632FC24255DE7C32A984008C3C98C4257358E4A6E11D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.900{D419E45B-F498-60B8-1851-00000000C401}4296760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.760{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F498-60B8-1851-00000000C401}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.760{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.760{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.760{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.760{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.760{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F498-60B8-1851-00000000C401}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.760{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F498-60B8-1851-00000000C401}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.761{D419E45B-F498-60B8-1851-00000000C401}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.291{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB6E2B93217EEEAF8DEE7BDE10CB3B,SHA256=3C1C37EC14A0869D69C560363269461EB31D9646E747D873872563655EF7A215,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613430Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:13.965{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50932-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613429Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:16.119{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F95A654F4245B1C37D6F51688C43D8,SHA256=7847A044880C9D6C7CED4E5E3DC3CA77C83C4B4B218D9879FA91A5E139FC84C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613428Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:16.119{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=894621E131521D302B427B2AE20C2B00,SHA256=6B5E4AC5CA29F72180788F166936B2FBB7FA613B510F1815E31138646EE06198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.275{D419E45B-F498-60B8-1751-00000000C401}36404232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.135{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715557B563D15F98A336B46310EAF409,SHA256=D17D0745D2460DAF432FDEE39331758E9F5F5234A7BDFB20EAE1F0718EE576B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.104{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F498-60B8-1751-00000000C401}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.088{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.088{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.088{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.088{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.088{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F498-60B8-1751-00000000C401}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.088{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F498-60B8-1751-00000000C401}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:16.089{D419E45B-F498-60B8-1751-00000000C401}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613432Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:17.666{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2F340CAAFEE109D67BB7CF2F912D5B,SHA256=EFC720C10FA39BDB753B5A3DD53BC615F80635F80E60D9FFF348A2538D00B37C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:13.527{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58311-false10.0.1.12-8000- 23542300x8000000000000000669644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.525{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C63B6A8C8D1CF78E159F897FDFEAD4D,SHA256=5FEF5B929398BDB5569657836B718C68A6E7664F5D05017D3F78063DD1FC9D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.525{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD7FBED8AD08684678856EEBDC4F899,SHA256=8C9116183A0128EB89FEFF663E40B215FC372DED3812D83AECBF80F7D0E4214F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.432{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F499-60B8-1951-00000000C401}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.432{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.432{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.432{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.432{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.432{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F499-60B8-1951-00000000C401}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.432{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F499-60B8-1951-00000000C401}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:17.432{D419E45B-F499-60B8-1951-00000000C401}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBEE565E8AD87EBFC950B41A408A4512,SHA256=61F5951C271D138B91CAD6EE0F07D3131A20170CCA63B126D3217E66F6FD80B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.479{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E064B5DBF3B611A958BDF274D5EAABEC,SHA256=DC679D0D3AB9D25C6A144BA4F2E9A91619CB35EAD7A7B26AD9D4C7C5FE2050D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613433Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:18.666{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC5DA607049DFC4E68AFE255FC583D0,SHA256=69F811E33C71EFA91334570C4D730E4A7CEA2E04722744D6E55697C3BC193514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.119{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F49A-60B8-1A51-00000000C401}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.104{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.104{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.104{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.104{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.104{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F49A-60B8-1A51-00000000C401}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.104{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F49A-60B8-1A51-00000000C401}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:18.105{D419E45B-F49A-60B8-1A51-00000000C401}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:19.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F682631BAB99F589A9849F9B53BE4FDB,SHA256=3F24F14FF10DE0258C437C5451430DF6EDB707AB8F401386C2C0CC80058F7F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:19.494{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8574A3D2CC3C96E66144FA612C89F8,SHA256=2246B1CE7FA7DC140D3A8BA0388E6E3676B3428CB76904EFA04CE184FD79FA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613434Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:19.682{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848D3AED2704BCD16541BC324F4D2CEF,SHA256=05F7D82F46DEBBC231A205350A8CE18D8E742599F79F02BF5A7C6F4588D8D028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:20.719{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=973A5B3C63D51A25012C64B870558F82,SHA256=38428E111CF036C7FED0CF4E58941A4282A45BB0B3E6FB7F831458E5D75E9E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:20.547{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26876BD001966FA716CD514727C0D826,SHA256=338FBCA48F0C382EAB19B0766B972E206A9F70F8AD894F9997621CBC64229DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613435Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:20.686{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FF073986C9A03BBC80A6ED40E4EFE7,SHA256=6A8432720F4B1B10162DE6746EF9EB287AD90F922E46FA584895459CEEAB4DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:21.610{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC57D5F3F701BF69CE69313720FE21DB,SHA256=DC55A04469CDA45BF2939A57F252D315DFAD44AFF5205E17B59133CEF86780C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613439Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:19.032{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50933-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613438Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:21.701{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8123FDFD526E28AE7B5CAEF2B8312C5,SHA256=E41391723D5E29D58FB565E754D6BEA92F2280285B572DB8F2F1F30FCC3167CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613437Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:21.186{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD7ADB2E965B3876ED07CE3AEBBD064,SHA256=B2A03BB4F88EC586F2053C6FDD6140A1B368431C6DD007FB900445D3720A7592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613436Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:21.186{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F95A654F4245B1C37D6F51688C43D8,SHA256=7847A044880C9D6C7CED4E5E3DC3CA77C83C4B4B218D9879FA91A5E139FC84C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:22.844{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1C88459000525AF50DA39473C9C8B9,SHA256=FBA56DD790BC202BA8CFA34C4176A6D3B6A8C89B644A181C4D4F59DF533A157A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613440Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:22.733{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD713E4076344FACB4A2E094D7E16B4,SHA256=C07946E36223B208A9FF7B89977AC6AA5C8C6DD9D05733E3C317B0C1F355DBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:22.032{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3627B1DAC182831BA49C465381756320,SHA256=4DB57E62F560139D33CE90FBAD19FB194C2E311E231524940C32F446E4D81ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613441Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:23.748{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2000E3C18A80F04E69A6ACAA3867861,SHA256=5CAAD02940A17A6B9E3A42017D02EB48B6D58196D6FE076C6516B36DD36272A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:23.875{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B375D37909202AA184B6D602023D1D7B,SHA256=7B08CB18D87E44F1860C8608E59F671185ABDC97F95163B979CFDCE1D41A8300,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:19.486{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58312-false10.0.1.12-8000- 23542300x8000000000000000669663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:23.047{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=619BFCD2F9715C7B1AEA5B5ACF177468,SHA256=97604B53F5FF775B37F5FE762AF1BA69BA4DF4C561D8D92D80063AC9407D33DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:24.938{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4123A6E3410FA71C4C3B37839DF4F5,SHA256=F16856005E8C6F579354BF7DB0A1DCB44AA276915EC2D9DA21AE7DF0A3CF97D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613442Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:24.764{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C882A69E3FDB532C5C9E924B8FF53D49,SHA256=1743E0224803C2B5CDF61C12822516A83211A4CE235A2E9844220F3F32224187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:24.219{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6374E07733018BB654F3B7067B33D48,SHA256=CB92B924A4232CBBB656E8260CCA0545D81999FA71BB78211AAD48B18B101A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:25.938{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0CF34E1DF4E3D28282A8C9831AD89A,SHA256=0249B38FA3999E762B7B1DA9C05C9C6576A0BA260BE5B4CC6C27598809C882F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613443Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:25.764{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EB0BCAEC6345FCC8DA03B826107AF9,SHA256=FFD80F436C71BC9B0B86328ABEBCAE073FD4A8F84109F3228C00687506ED4941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:25.391{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=554887BF150662B82BFFEA5A9B1BFB0E,SHA256=5B111DC7DEDA83CCD35F48A1FF6800E815640411760837BA2672E45E6A71BB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:26.938{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D426DFE71E4FEA8AC40FF4596894E1,SHA256=AC0C3643D1292129C98DEED7E9F6BD56D4BEFBF2B624D31DAA412E6AE95B3075,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613447Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:24.031{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50934-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613446Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:26.764{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B3027B4DEB3C36E325E301376431F9,SHA256=1D65589228C1E8B5359556E204029F2D5E75D0EF8C7757977A7C42C29745A089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:26.641{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8148642645333BAC5FA4037DBCD68EDC,SHA256=29BB636614E3A24F82798C2543AD1305E437C772A80A6DBF3DB7DC70CE0B1E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613445Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:26.186{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA265B5A2242454622B6FFE8F653C9D0,SHA256=D934A6ACB63BAB0C19C165BB4E60EA8695A333D329CAD87081DD5D7770E8EE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613444Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:26.186{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD7ADB2E965B3876ED07CE3AEBBD064,SHA256=B2A03BB4F88EC586F2053C6FDD6140A1B368431C6DD007FB900445D3720A7592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:27.969{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C8074E6C7648154A6C296B86C73CAE,SHA256=170EFBF3B3AC7AD965B93BC3A40F022DD76F11B7DD86F1A396A7F716EC443E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613448Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:27.764{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97297EC86F96EDA2DF5EA05AB9C1C537,SHA256=31D834765F66EC28A09B0006B1A810F8117716F90D1A37CBEB05C2A189B35191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613449Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:28.764{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3F3A19C770994D9E685F77DB4FB26E,SHA256=83EC74E29DA2A2C423575176D4B4EAD6060469135FCDDC2B11A460C072100721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:28.063{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D389D5D63ACE46358313ED5F2E400903,SHA256=E184B4FA320F81F1182E06AC507B4136A81631162804D0B381483E496716370C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613451Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:29.779{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B12AF6F0326A5A82B1B031D9516D01,SHA256=E4962E205EC735B1CE4C5A173C0EEB65E984D2E8C8FAB631217EC9B0F50443DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:24.689{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58313-false10.0.1.12-8000- 23542300x8000000000000000669675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:29.141{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF1630CA039AE276B12523B45E58A4D,SHA256=02BC817EEB47CF82EAC47D8432133767BD0EB076E3C6F0904E0A3A2A3E674804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613450Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:29.139{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9ba1b87.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:29.125{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2E41E435DC22554A4A182F3015F244B,SHA256=618C44BB4FE82D4913AAA73C676D7EE491A7A29976B6FACD268D1959CEE8D4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613454Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:30.779{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA52D668D0D62117A1F2C693F69A936,SHA256=BE6CBC89F52EEC6D9B6E0F40899D357C851CD99C9DEB76BF92A3C7F652F0BA48,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000669699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:26:30.344{D419E45B-F4A6-60B8-1C51-00000000C401}4352c:\temp\not7z.exeC:\Temp\victim-files\archive.7z2021-06-03 15:26:30.344 10341000x8000000000000000669698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.313{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-F4A6-60B8-1C51-00000000C401}4352c:\temp\not7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.297{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.297{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.297{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.297{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.297{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-F4A6-60B8-1C51-00000000C401}4352c:\temp\not7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.297{D419E45B-F4A6-60B8-1B51-00000000C401}54527164C:\Windows\system32\cmd.exe{D419E45B-F4A6-60B8-1C51-00000000C401}4352c:\temp\not7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.305{D419E45B-F4A6-60B8-1C51-00000000C401}4352C:\Temp\not7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exec:\temp\not7z.exe u archive.7z *txt -pblueC:\temp\victim-files\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=619F7135621B50FD1900FF24AADE1524,SHA256=344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2,IMPHASH=41C55772E303B8488EA464A0538E35D5{D419E45B-F4A6-60B8-1B51-00000000C401}5452C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\temp\not7z.exe u archive.7z *txt -pblue 10341000x8000000000000000669690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.282{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-F4A6-60B8-1B51-00000000C401}5452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.282{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.282{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.282{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.282{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.282{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-F4A6-60B8-1B51-00000000C401}5452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.282{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-F4A6-60B8-1B51-00000000C401}5452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000669683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.272{D419E45B-F4A6-60B8-1B51-00000000C401}5452C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c c:\temp\not7z.exe u archive.7z *txt -pblueC:\temp\victim-files\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000669682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.266{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1038C094E2048F0D4D7FE39BDBF6FAA3,SHA256=14C2891AF2E5375F9C7A5B8BB23612C56CE8B1BEDCDFCCF51BE7D9C970D0C9DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000669681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:26:30.266{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\victim-files\encrypted_file.txt2021-06-03 15:26:30.266 11241100x8000000000000000669680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:26:30.235{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\victim-files2021-06-03 15:26:30.235 11241100x8000000000000000669679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localDLL2021-06-03 15:26:30.188{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\7z.dll2021-06-03 15:26:30.188 11241100x8000000000000000669678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 15:26:30.188{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\not7z.exe2021-06-03 15:26:30.188 23542300x8000000000000000669677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.172{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1257ED7A422B6DED5FFE41A4E12D9B81,SHA256=9F764C6B287BEDE98F75890DFD1FDBAA64EB418020C7356A21E81556287EE578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613453Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:30.467{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=84306D602CD1636EEC6427CB3DB90533,SHA256=7D9AC327ADD12F74018CB05A4163C52DB1D22F218BF5CE49BFC300E370D55C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613452Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:30.467{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E486FCE0C2722C7EA56CC2AD2D73B15B,SHA256=C8E8CD8ADA6A0D6282C065E2C012D6AA6230FE8F44680CB56353D2C56F4EE65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613455Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:31.779{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD04341DCE7F5DB941C155846FA11CF,SHA256=9DBE5D1E6AC3F72D131E7A4A0D737C94A7771F8E884CDC441778F386E4323C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:31.532{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAB50FD848CC0D34222416EFEC85033F,SHA256=A0E66A74636EC401D90F8F9A2CCDA7CC4A6FB71B043F70C63235ADC7D8CCE875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:31.532{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFAFDD596A043802A48402EE193B48D,SHA256=41C552CAAFCDD5F926CD55F67B35ECBFE0B3126FAF45F88D18F1B4CA37D6B2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:31.203{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EF8B0C9E2701A81D61A6A67C038FAEF4,SHA256=728010531E1C9D3211680CD0BECCC3D1288D12854E08A31805C4A97DB6F53F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613458Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:32.779{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A6D9869D7E13F8D5BFF4F76EF37B86,SHA256=D963F67AE897478EEF28BB62C8AE3230904B473F2C995E27B2EADD95200A094B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.797{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.672{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=418E402F16D649F4065C68FEA478C2EA,SHA256=2C4CE25A37B7B70165E01911822281A583F8F93B1630E94D4462511B26B6AC1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.281{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3BE3BF2B821A939B40E92919360FD54D,SHA256=803B1BC807D77B08B95DA744438687A7DFAA847D1AE13F6A3AF1E355AE363B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:32.266{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14EC9B6C6A820D6800444BD745C3D42,SHA256=B539279CBB875BC88139F03492D52FCC5F392D4C2A303A03061197E44788E223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613457Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:32.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6983EB743E2D612A5293CACDD9BF4FEC,SHA256=F05F08380129ED6F7520F7B2C603D95D9149A3EACC2AEFC4887410DB48E2AA75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613456Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:32.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA265B5A2242454622B6FFE8F653C9D0,SHA256=D934A6ACB63BAB0C19C165BB4E60EA8695A333D329CAD87081DD5D7770E8EE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613460Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:33.795{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8F0F64FCED61E741007FA53DF66F37,SHA256=01EBB93A12DDB6D81E321CFAEC7ED5A68A76DCB464407E731DD875469B92C303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:33.922{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAD705DAE66857745A0AED4D96E8F033,SHA256=08BF1BE073262C739600A2BB9A1C24FAA865390831D5001BA54D3FDD2EAF94B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:33.297{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DA886D354AB3DD97C3077AB81C24AF,SHA256=3173F90E89E544DF7E1CD9DABA8009F94C7DF2448708BD6B8ABFD5A2C66FE8ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613459Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:29.969{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50935-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613461Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:34.811{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BA9D3062366E68D036D76C1AFA197B,SHA256=000DBEFA5D2970BFA998C798B24B985EE0D3760A7044FA9D368C0094D5CD54AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:34.360{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71ADA727CE1F8B129928BA591AB28C62,SHA256=CF6A7C093B54BACE4AFF971FACEB454C73637D7C1BDA5CA92019CA70E9E64D15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:30.595{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58314-false10.0.1.12-8000- 23542300x8000000000000000613462Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:35.826{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97820157AA52CE1C79BB3AA7DC966865,SHA256=0958D53C6E6E50F90E7F50DA36C8F678D7993CBC7401135B0F46346709B48B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:35.688{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DEAC2D891AF36856EE0CDAB69E8207D,SHA256=26162F9CAD45202258C5FDFBCB15FCF5CEA11C45B86C3223C4A3C239CFAB5745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:35.688{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A992EB88ABA44173C7BAC9D84566F7BD,SHA256=29CDD495004E7350510D6C3BE4115D3D663A5C6B59A1CD7C1EF11805DEA12F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613463Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:36.858{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CA63C69085E44197902318778F7724,SHA256=982497D743E0B01FDF68F00EC40DEF3FA0F224F4F15164431D22802501B803E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:36.891{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8653E9D3A5BC294FD7471017CDC6BFCD,SHA256=D9A9405C9084DCB24C8FA1FDABA69A570D48B72F1DBFEFF27312937FA834E3BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:36.703{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04652F8BAE6C5AD0D429C2B3DB7EE24A,SHA256=5424E0601FB9069EE8FCABC3C5B86AE15DFDD28BD684BAC05D56EDB4581702FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613464Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:37.873{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3461DBA482AFB1147B3427CAC161DC,SHA256=245C37A1378D4E6A5BBD914F8DAB04539C7F6ABDB01668E918D0D985AD15C916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:37.750{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC95412B12C58FBCB09CACC1B5E1074,SHA256=A4BF7578AD8E5C4347FD6C891169C1EE6915C56DC31AA9A004D7D512FB77EBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:38.766{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAF273F56C7D5C53FF0FC3861CF49C1,SHA256=C5F1969AA5C25E04A5CF2C541DD869825AEFDC9DEC3DD2F18E05737DEF0769D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613467Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:38.920{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B5E047E44D96082A35C16E46576341,SHA256=70446B08DBF30B4605D4E2F1A2536E84EAADAD66834D2079617BE3930252B952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613466Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:38.092{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73318BE10B1FB2163FAA82D5E473BA23,SHA256=B6270AD67336AE4678B218B6F02E7B72F578DC70AFC19ADA269AA1536F86B6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613465Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:38.092{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6983EB743E2D612A5293CACDD9BF4FEC,SHA256=F05F08380129ED6F7520F7B2C603D95D9149A3EACC2AEFC4887410DB48E2AA75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:38.031{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14E50BD77D28E26C2A8E38C32AB32757,SHA256=339FF1CA851890EB27FF883D2876BC632ADE60BD371B230AFF2FE9D31351A3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613469Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:39.924{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B87ED87DE62863A517698905426F9B9,SHA256=B6BF7B3025888D3634C7CC71A3CF79324A7D0330FFE9CAABD951B783F3DF0F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:39.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E008EBF4731D51E80E30230B2B7316FD,SHA256=23A34F2752BD388ED92480BE3E9C6405A5044246E034B0BDBD51792DAA17B9C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:35.673{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58315-false10.0.1.12-8000- 23542300x8000000000000000669746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:39.172{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF10EE75C90B69EDEFCCC6DABE402EBD,SHA256=00AC35FC19069257CF2B26EE36BC7041520D6AC6DC6CD45FE65E38DC15E0CA2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613468Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:35.938{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50936-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613470Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:40.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15332A04DF1C748E99B1B7A6519BB66A,SHA256=1A2050CB14641710B0857BF9950037476382FF00C0B1CA361EA3DE9A07ED8B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:40.895{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A522F6163F7924ECEDB66CE224BC33F,SHA256=3B99D6348A913D60B2C9FFC455AD83E1C3EBF32564758C967843E53739243B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:40.317{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4430C82B7DB0C392867C4F6A0D423E66,SHA256=13BEAA294D40A5B1FCD7D781AB8C02FAE5C203B85F4C927616542D5BA42C73F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613471Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:41.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6311AEDAD55E1D63EF6752C0B43B2DA,SHA256=472ECEE8BFED9C3353B6E88235933B8C0DFFE2876A7724A8F0C244A7CBCAB19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:41.911{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723EDCD7062626B70EC3DB359E14EA5C,SHA256=481266572E5E966E226C4768F6FE7290BD71A17D3CBE759CB76F57F6CC465948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:41.348{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7113135D2A77B9C75353165D5ECDAAB7,SHA256=DD55A2BBE85B88BB82905CB39B554D41E45E6FD59C14BCE3BF6E84251FF77979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:42.926{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9A8AFD67C9480892E0739A8273F086,SHA256=18D040426BB8378973B380585BB7EE0BC9975585209BA2EE16D89A9BA9AFB432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613472Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:42.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0FFEE674B349F16EAB3BA72DECEAFC,SHA256=1D5EBD9BD64B89E509A2FAE19D49C89648697589BDE26B3BE5A50C241D3759F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:42.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C8DE63F03D1A231E30D30BE5C14B41F,SHA256=640FE4EC4B0277CDF3D67C41B3362C22613BE58E78A176C491C9DF48449E7139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613473Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:43.957{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC14DC0BB1D38AF4E8140AF2CF3D6E5,SHA256=64EDFB9662C98D092060F249AB116EDFA7457B66245ECB15DD912012998E792F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:43.958{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275D4A21C39AFCFAF1D6C1BF6440F1BE,SHA256=FAE10B044CEB1C8760A8A283723C0061F852353979A2D8E2103BF8A505ED9AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:44.973{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DDC03CF71C12A003DE727DAC0E9D73,SHA256=E5F8CAEB75579091FB8C5FCAA5BFAF027CE51352E8521B2FB2C28723DEB9ACEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613476Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:44.972{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A469C63AF01338CDD4987B2150C42C6B,SHA256=83EA288D80DF2A8DCF32521A9C3A2987875683FE5863CC47079C71D1916A496D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613475Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:44.285{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F46E91C78C90EE62F6346FDB362D466,SHA256=FEA0B70655953191C590330ED1F1C2190D36E0D0D890BD1CCD9583031E99FB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613474Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:44.285{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73318BE10B1FB2163FAA82D5E473BA23,SHA256=B6270AD67336AE4678B218B6F02E7B72F578DC70AFC19ADA269AA1536F86B6D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:40.677{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58316-false10.0.1.12-8000- 23542300x8000000000000000669756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:44.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1596ECAEDCAF4E5C4913779103270EC2,SHA256=A156D3D8D3CB95A65654702FDBFC72D50904AF514E88E45768451581ABBA83E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:45.989{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458C91EF5CDA5526BDF7CA884BD96904,SHA256=8BCC20F6828782FB8F0E696CF7A1E0144078295667DB1D2C98D21A222CC98C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:45.270{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32A631593AC8E54586480A8C27935A58,SHA256=260B4DA87ED9CB425E04EF196AB73B5587CC069A587829E967FE659CBDB3C426,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613477Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:41.957{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50937-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x8000000000000000613488Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000613487Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09ba5eca) 13241300x8000000000000000613486Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75884-0x7b551cd0) 13241300x8000000000000000613485Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588c-0xdd1984d0) 13241300x8000000000000000613484Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75895-0x3eddecd0) 13241300x8000000000000000613483Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000613482Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09ba5eca) 13241300x8000000000000000613481Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75884-0x7b551cd0) 13241300x8000000000000000613480Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588c-0xdd1984d0) 13241300x8000000000000000613479Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:26:46.363{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75895-0x3eddecd0) 23542300x8000000000000000613478Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:46.019{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35B50FA82253CB7F223CFAE68B28D9D,SHA256=547C9EB157DC35670760310E0A7B1026B4430B4AC7132F606A01E4B455BB0BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:46.379{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E93A8F8922CC234D3F2330FDDFDC70BD,SHA256=39760468C405FCA1BC620B660E83CF52844C3DB4F846A9DE55D16003005A28C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613489Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:47.019{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD682D501D2C597A4E44A139CDB6703,SHA256=9AD3871D4D4ECD3D764443EEBC2E1A9C01AD1DFF5656D4F69C0353589C34BC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:47.520{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71A4B6BAF2452DE132554AAC1994BF21,SHA256=62D81BEC66CD620FDBF3FB3962C470155C850F3F1C089369CCF594015532E6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:47.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3584632877E549E915F17E4BD8F5C24B,SHA256=7DB8844F1E5D15317106BC13FD37F3C1C87C8F4455921D056E51BE27A56F269C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613499Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.878{97C2ED32-F4B8-60B8-545B-00000000C501}33082536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613498Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.722{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4B8-60B8-545B-00000000C501}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613497Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.722{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613496Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.722{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613495Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.722{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613494Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.722{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613493Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.722{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F4B8-60B8-545B-00000000C501}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613492Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.722{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4B8-60B8-545B-00000000C501}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613491Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.723{97C2ED32-F4B8-60B8-545B-00000000C501}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613490Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:48.019{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CCFA3EA67CDBCA2E2AB53C6CCA7363,SHA256=2A3B5441DB0F173E8FF827F80EF081C67875575181DF72BBEA08CB4E32853B52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:48.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5138ED9D7640444EA5CE1C3BE85DC94,SHA256=409F51FCDF1F70FA2851E94B7AAB65C504E9E5DE4682D0B53ED15D21F7B56016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:48.223{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D66A7D6147715D0459FAB8B89F9627,SHA256=F5DEAAC0D37CC43D4F30877D2D5FACBA8E66DAFB37FA4B821CFC04AC13DCFFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:49.239{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6ECA5AB2AB5A6C2AF6EBF59D3BE23AA,SHA256=A1A20C2F8A75816DDB194552AC573EE92997CE97704F819E8B61259F9138FABD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613510Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.519{97C2ED32-F4B9-60B8-555B-00000000C501}56003440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613509Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.394{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4B9-60B8-555B-00000000C501}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613508Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.394{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613507Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.394{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613506Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.394{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613505Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.394{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613504Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.394{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F4B9-60B8-555B-00000000C501}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613503Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.394{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4B9-60B8-555B-00000000C501}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613502Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.395{97C2ED32-F4B9-60B8-555B-00000000C501}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613501Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.207{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F46E91C78C90EE62F6346FDB362D466,SHA256=FEA0B70655953191C590330ED1F1C2190D36E0D0D890BD1CCD9583031E99FB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613500Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:49.050{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126A7BF7EDF1F979A153E8368C005903,SHA256=0C493E7C119F9C7E5952D0A6BAA99C79C3FB9BE857D8AC9949A0D57E90DEF920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:50.254{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4DF49AD4E11C36A3C5F403FCE37D70,SHA256=7C1B87E2940F02C06D4FFC69CFA29DB85E71E083FA0197BD35E50F0876DE0A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613529Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.738{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4BA-60B8-575B-00000000C501}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613528Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.738{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613527Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.738{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613526Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.738{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613525Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.738{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613524Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.738{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F4BA-60B8-575B-00000000C501}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613523Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.738{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4BA-60B8-575B-00000000C501}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613522Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.739{97C2ED32-F4BA-60B8-575B-00000000C501}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613521Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.550{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B83B265D2F63D87DC4DF885185B9ECB,SHA256=7FD3FBCAA88A9284C239C7A244D55C4AF748ADDD790CB94F1E7B093150835E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613520Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:47.053{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50938-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000613519Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.066{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4BA-60B8-565B-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613518Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.066{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613517Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.066{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613516Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.066{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613515Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.066{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613514Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.066{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F4BA-60B8-565B-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613513Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.066{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4BA-60B8-565B-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613512Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.067{97C2ED32-F4BA-60B8-565B-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613511Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:50.050{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A1D3D530B629937BD4A4FB08F74BDA,SHA256=7FA9EB9A2E0651B548A3C497A05F909C53725CF06B603821A3D8155365064E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:50.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45998BCCF957ADC991DDE78214F516CD,SHA256=358ECD50C9D891AFE9A92C2EC49ABDB2B508D1041786783F9A1969AABFF441C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:51.489{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6B2591E4CC29D7F71094C4197E665CE,SHA256=91377B66F0D60FBFAD6469FA5DF796F59FF7825633C57DCAE2F6531279EE364A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:51.286{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573B88251CC3CD49D7FA54309746E673,SHA256=097B42974DF63DDC0D9B18618994D6374BD6924D54F17EB32D119BB77E17772E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613540Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.785{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF5A05E4895A3DF4E0CB1D7D3055A4C8,SHA256=AE94F537BE33EDFA4FEA652C2E3E9084AE80168D3B8E0B09DB2493519CCB56F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613539Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.550{97C2ED32-F4BB-60B8-585B-00000000C501}4256432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613538Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.410{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DD70-60B8-1C58-00000000C501}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613537Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.410{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613536Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.410{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613535Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.410{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613534Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.410{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613533Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.410{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DD70-60B8-1C58-00000000C501}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613532Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.410{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DD70-60B8-1C58-00000000C501}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613531Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.411{97C2ED32-F4BB-60B8-585B-00000000C501}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613530Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:51.050{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAAE22A64B568517605920611356987,SHA256=0516A669D8676DD9DD0847AF2C37540056FAC8A01040C0F6E7EFF7CF2B1A5683,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:46.646{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58317-false10.0.1.12-8000- 23542300x8000000000000000669773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:52.645{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEA3A4328B31E1EE210B7ECD35E44930,SHA256=3EA9EAE2A3ECCBE9F82BDE175E401240C544ED421865D5DE1427ECBB111B6976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:52.317{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1CE898C38CB362DAAAFC03044769FC,SHA256=D82BCBB0950BF1A1F4986B30282F72F9ED72CC3BF01115E5E1CDB047F3DDE52C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613558Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.894{97C2ED32-F4BC-60B8-5A5B-00000000C501}50724928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613557Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.754{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4BC-60B8-5A5B-00000000C501}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613556Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.754{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613555Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.754{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613554Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.754{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613553Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.754{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613552Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.754{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F4BC-60B8-5A5B-00000000C501}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613551Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.754{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4BC-60B8-5A5B-00000000C501}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613550Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.754{97C2ED32-F4BC-60B8-5A5B-00000000C501}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000613549Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4BC-60B8-595B-00000000C501}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613548Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613547Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613546Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613545Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613544Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F4BC-60B8-595B-00000000C501}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613543Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4BC-60B8-595B-00000000C501}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613542Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-F4BC-60B8-595B-00000000C501}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613541Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:52.082{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B254C584E4214344AD6A81C605F0BD9D,SHA256=838CD6C8969945878269914185938FE80164FE016BBCB073C4F01E4E3F1DA411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:53.786{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13B47FDD9392AB0A8F78D8A3D1739C95,SHA256=C8F5E6FAED0B44D7FD58708294F99B043B7E5E0DBB94C459389B4E7885A61E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:53.520{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE3FD7E1A8D65CA1DE86AFB23BEA1D3,SHA256=FB552A08A48614B692B81EE2673C65231958E6899735EA8BA801E2A342DA4D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613560Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:53.144{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565BE218AAB88B468D46DEE4E0A4A57A,SHA256=10BE65498C74337EE30F4D642AF7CAB43B913B07E590AD36051F663DB95B69BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613559Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:53.082{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98FF49C013EA7E429A26D7DC7F22DAE3,SHA256=57394D00C0906848CD459A2A50D6DFB96DFB019C2159701A4A259112C5E98663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613561Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:54.144{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9426C6F6334B2642B981A3D6A4C94011,SHA256=C6F7B8FF417B74CF79073CA2BF2ACEE6ECEAD73F5DB45D515A83D5CCB000A5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:54.942{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B736FFE2DAB14A3900F6623DFB99C3F2,SHA256=6AA6974D6C1E713FF8317E913C3CC95034DC698242973D8E324E045D50246EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:54.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFF691D573AF7EB8925043FB8C91CF4,SHA256=D3145384DDE400EA425E9D1C848803B710BE59620CFFD6D78E3B20ECD0A72263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:55.551{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94AEC29F5F5B3CA82F086A92699ED43,SHA256=83041D9916132FCB32787C71DAAB375C25ED58288D6D7855118F82CF835AD4AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613564Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:53.021{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50939-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613563Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:55.207{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5202BE402EA927106B00E5E30F876855,SHA256=CABF48E3554E8C70D076C650684FADEE34AF9F7F97820C631C2DB0BAFAB91104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613562Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:55.191{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0EDC060FAF2D047A284C67DD16AEB32,SHA256=288AA987B023D422041B10DB2F1F5AA16AAA1CBC2B3F1F72CD1E867A4784BF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:56.567{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C14CC0560E36745C7074D82C9809741,SHA256=0172487E957BACF64366D06D36876E2B6AF3ABD361D37F460C42A4F46D6F5CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613565Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:56.222{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4460070D033CA1B7014CEF7B9F0FBBB5,SHA256=EAC578DB847F064109922ABF4613A4038A5803E09E5C1158D23E610908C38D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:56.067{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AF666644134C8666821972C800BF88C,SHA256=008A978613CB3CA0A1FB834CD47477D203514B5AAB4BFF4B2C8850357D9EAA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:57.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B3F257EF4EF9493C90EDA4AD0C5024,SHA256=34067EDA9B3F1248E9AED5A98019751540E7D7BECE1B8140FD114AA7E78F06F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613566Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:57.238{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53DD917A8D4A5DF050916AE73386DD5,SHA256=B6B26C1D0EBF0BB566DFA638F6D6C0C699EB0B6BEBD7D707C2F8B8100843586F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:57.301{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DDEE464B4D65BE66BE844FC00828144,SHA256=2CF2414AD5C1E51AFFB9E4605C3BB87CD4811F0920E65C62F0E5DC2E20159D1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:52.662{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58318-false10.0.1.12-8000- 23542300x8000000000000000669785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:58.833{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7935052FAAD6AFBFDBA3596DB1B09D5E,SHA256=91310EA14DF2FB5D0B59632E7021E303D0709C45FD9D234C066F5BB5B7C7627C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:58.676{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B9D0C8CA9CBF927167FEC68CF9E970,SHA256=8F727EC885AA77611D8F631C6AE2CF842FFB9A422A77FA8BEA8DE94DCFE2ABF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613567Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:58.253{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB47F5190F2EBA5A881BDC3FA7A52FB,SHA256=D643049F9269DE0667918F4D53B23AE6FD59DE07482FCEAFF5E9398C32F3BDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:59.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143078E0EFF3012C45E8E28B17736A40,SHA256=6EEA2D618E65BA500BCB13EF0BBB3903D99882D920D3444430BCEDB9FAE06DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613569Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:59.379{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613568Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:59.269{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFC7608C7E45037095BBC38B2D63AEA,SHA256=F7967D15C355887AFC2FA0CA4D3FE49D5AE97A386136C5263182683F9BDE48DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:00.925{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26BF4773C80269D5E12F20151BD0A00,SHA256=6FCD57E913B8A341F6815ED58940B0B8380DC8238BDF0457C74E349C4511171C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613573Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:58.021{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50940-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613572Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:00.392{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0B9020E7D79E68624FD1E9C27D9A677,SHA256=484E50934C3D1A809AF52DC00B88E1C9320F517812B8BFADDB8858B85281BD63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613571Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:00.392{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A24AFC7453E00169828A9B095DD6057A,SHA256=5AFFE25E5E9E3042ADC9FC898A6963622A23020F012BF56F4931AAB07FA90AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613570Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:00.298{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99B182FCC5D1FFB6203A2E001BF1C26,SHA256=FF90E4AF1A0DDDD6FAB6DF3C845F955F66601B68657F107E70779AD7589EC88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:00.003{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5CE98022D6314F4A798946E93B10872,SHA256=7C10649982DE1EADD52C1604348F64A984EDA6A6C090AE6C90922B481025EBF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:01.941{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B1FF358F7C83CF6442A72BEF6E5C2,SHA256=DB70EA7040706704F3DB641A209C6DC8F2B31590649941E82D8BDDEAAC314074,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613575Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:26:58.209{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50941-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000613574Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:01.298{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071182BC4D75660EFF81FC4043E7FACD,SHA256=F5534A1CC3B049B2CA83B046EE4AFA5F7864253B7ED129248364F73F93072651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:01.113{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCCACCCD94830FD59DA75EA7CDED66CA,SHA256=493D3562BFBBD1C9058DEA2C193CE25B6838C1F9CB325DF59A67C9527FD4B31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:02.956{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF795B30618E10429859E2C32ED68DE,SHA256=00C88B649C6C518F5D39798E39E52DE9288819F2628ECBDF0E59BF78668A8F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613577Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:02.454{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2586B66D3E42253746B80DDDF93711EC,SHA256=AD8E72457EF60A63A4F070AA439DC320D90DAF16E9158876A02FBBDB735FCD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613576Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:02.298{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC73F6DBB76AF8371942282E05BD891,SHA256=F4F1CADC555B026E101E36877AA9A51E10457E253752FBC326C8595D1AF652BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:58.676{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58319-false10.0.1.12-8000- 23542300x8000000000000000669792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:02.363{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:02.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A17B50F2C3D412472D8539CB6391DC8,SHA256=D9BD85394F14B341F60BE95AABCCCF715A7AF22EBFB3C50CCD537CB10307FFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:03.972{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9140CD331F9945F2BFDC4C62837AB7,SHA256=103D2E6A589E41E4F1F8C28D21EDFDBDEBA45693E6B458453D9D3F258ECB13DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613578Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:03.298{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0812C6AF6773C2F35EE7A585E19A60,SHA256=DE6276F974965B405A2EA10BDD60B441A15E6973F0B28E4C8EB9E7FA2308281E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:03.363{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D3F99D1EFF9013F0DAA1AC2D67DC169,SHA256=D735626DF463EFF5070F80FC6DE6615F8C1743D2AA1259EA24014A50CEDE1A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:04.988{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A5897992F537B5A75620A862ED7A63,SHA256=8D573A54ACEBFF2D266C6921DE61C35288E30286B52A73AECE9FCA5F0046471E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613579Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:04.314{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF383B792F3279F1D95982F043489FC,SHA256=605F35DB6B38ACBEFF786DC2FEA01315A550439F72D7EA7B5EED7AF7255C56A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:04.644{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05CA1C787AA14168B394D755C3DEA453,SHA256=F686802DFEA4EA77AECE1CE015D0B1E3E121FE179356D562E48F5E2409D6F91B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:26:59.801{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58320-false10.0.1.12-8089- 23542300x8000000000000000669801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:05.988{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1AB9D9321C1AC81FDFDDD2334FBE51,SHA256=5A918B7DEEEDE5484F70711ECF31386A343B66ADC8E81FC8D3EB9429A17C430B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613582Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:03.035{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50942-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613581Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:05.329{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56F1A0FA073332370102B4AEF141D13,SHA256=B32D81B6E7A8C60FB0F9C67DBC046C7BD666C58FA52CD32441D0044026B4C0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:05.925{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4542265B7EBB9EA8CF017674A0ED3D76,SHA256=5E6146F911952EE76C16DCAF030738FA2CAA0218DA598D4A98E38D0187020C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613580Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:05.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0B9020E7D79E68624FD1E9C27D9A677,SHA256=484E50934C3D1A809AF52DC00B88E1C9320F517812B8BFADDB8858B85281BD63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613583Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:06.343{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69F742DE1F8CB31751D2EFEC0706D05,SHA256=279E1CDB4F68074BB0413F11A8D9F341215C81699671A377111218CCD89C26F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:02.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58321-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000669802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:02.536{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58321-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000613584Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:07.361{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5DB7FE5727E7C32579011C1A43CE0E,SHA256=C94E8E85AE146536A206826EFEF22FB475EBB970578EF1BC665EB0669B0C90E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:07.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5831E9D3F47C6924579044057C00A124,SHA256=767201CCF2065CE31914CC8491718D498FF1E9E16917D2D4385ED6E87E18EBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:07.003{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B696EEE691B5736A77AB02FB870BC59,SHA256=A9B9D8C2A0E9AF394500DE56774C85EC31597870EC162324B8A00E918BD1B7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613585Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:08.361{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04007289E20E1D757323242DD41652BB,SHA256=1A93F601AA266893E684C2D687C1AF47AFD811E8939BB43B937A0187DA6F1A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:08.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD67A51D0A8BD1E206F6D37E0DEEAD5F,SHA256=6AC56FE2CA2728AC6400E6887027A03AE9DE9940A8EC3AF52981BDF4607657A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:08.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571365BE6947F7A90FA905DDF5407C40,SHA256=6C98A8BFEC248EAE67DD798ED1BAF38301947F9CC02CEF2F6697F553096CC90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613586Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:09.408{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD94D583B94F28759BBDA63A5205A6E,SHA256=A1ED81D678C3BB7E3DAAA5734FEA45D9EA840179DE5CA38D8516B7E4BE22BFD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:04.567{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58322-false10.0.1.12-8000- 23542300x8000000000000000669809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:09.489{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24E419326A7F9E26C6B3A33A8E971156,SHA256=37CFF39F90F30C6C49A21BBC50BD8AA0EB4CB91256A6B17FFEDDE8E7663CE05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:09.020{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF96E9FECB1BCD3D77BB6DAD8340903,SHA256=F722FAE0EB5853D796FC6140D0559A345DA85B391465700E4864AEA93013F328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:10.693{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0CC554889B34FD82D84F90FC05A7911,SHA256=F54F2D2E58A533317BC7C53C3EE931DD367DFAA96A8816B3CFEBB1E3306DF3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:10.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE6D83C4249A7FEF1E4D4746C0EED5F,SHA256=3B3B9CDE52FFB02480C4082A8BF39B4961544E314CE3A77A231CFA02944303C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613587Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:10.423{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10021E9C0A6BBE19B6AD76A8EC70A29A,SHA256=B4016DC0F6AB90C2ED30F1ECE2E9440EFBD6E934CA6EAFCDCF6E72572275170A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613591Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:08.972{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50943-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613590Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:11.423{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD107D3A0A94CC00F8CFDC01D2535F1,SHA256=82CF8B1DB71FC5B8741584E13603D04AB00F0CC60F1E38B1EC31F23AE8E5BB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:11.943{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=512757C72C792FC26DD9B59F3869197F,SHA256=95EBEFCDB69108CAB769A854F97ED76AE331C2F3AEDA9AB34F2C05239BF45951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:11.271{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E24E7B0CC5D885ADB115BF1AB9702BC,SHA256=17B0DEE659729D39C2C9A6451D620D3FC4A36066F6FAD20A6040E96768499206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613589Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:11.142{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC5D21D9B1EDA157C5A6B1C3FD865900,SHA256=CA56A5DD9106DBD074B60168DFFB716CE4228048B6D41D12CA1C18EB32447760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613588Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:11.142{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974EB448F1D508D1685CAF8ECC51C693,SHA256=E319BD6A6E1C59F2D26A42E11553F635B8A12E8118C0B954B144885676837EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613592Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:12.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D41695F86447E6F06B203C21468530,SHA256=A47715CA4AF1E6DF738AE2BEC5F480C741E0DAF4BCD0056E226302AC717867CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:12.287{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABFD07EF336A21A4F0040F68ECF9212,SHA256=ED8918E8EF85BA43E550B92E2E0740A1CFC4E32AC8148C2659906FF23172B5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613593Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:13.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5D21CC168A91C736CA31A99CE82099,SHA256=EB13DEAF0F4B6677C27BB57C32E3250E8E0E6BDB670B3BC8ADF08459552E7AE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:09.694{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58323-false10.0.1.12-8000- 23542300x8000000000000000669817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:13.349{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C3C2FF65CAA5244539942E04B2FAFF,SHA256=C913EDE0B46611086ECBDFABE4CA3AEE49E59DD4D0638BF9FD56F0E858CB20BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:13.146{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D117A10C9E4C53A355B321BF0E31866F,SHA256=6D75BF6D5B2D9D7D4644EF30AEAE5EDE529C7E7A9A529A5A448E1A31C26AD57B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.802{D419E45B-F4D2-60B8-1E51-00000000C401}43162884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.662{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F4D2-60B8-1E51-00000000C401}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.662{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.662{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.662{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.662{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.646{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F4D2-60B8-1E51-00000000C401}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.646{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F4D2-60B8-1E51-00000000C401}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.648{D419E45B-F4D2-60B8-1E51-00000000C401}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.521{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4044A3485704A68B27088A9399DED6D,SHA256=77ADE1A90A9B33D7AA0B14FDE8582D05DE27E41CDF5B3957821A37BC8F3A9FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.380{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC23FDEB8DA15377FE77867B15F52F9A,SHA256=71DAEB923AE646DBC2F3BC38934AD996B7AA6C0DB16A135AED46C45699DAB910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613594Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:14.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CAB61BEC239161D31598D33E16C3BD,SHA256=5EF0246416F3003C3B0D9495A109A74480BE92B3AF3EAE6C84C1C31D5F80313A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.083{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F4D2-60B8-1D51-00000000C401}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.083{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.083{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.083{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.083{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.083{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F4D2-60B8-1D51-00000000C401}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.083{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F4D2-60B8-1D51-00000000C401}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:14.069{D419E45B-F4D2-60B8-1D51-00000000C401}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613595Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:15.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB80375108A42E5F838A6369CF18A538,SHA256=BC79C86A244ADA2528043A3456C4E5DD81883A6DB6C33C5433CB38A4FD3DAAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.849{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94609EEAFC965A6989F83A6C4417899C,SHA256=4920BDF44EB6EB50EF03AE23209488EA5A50B1D85A48A90688BFCC465632F638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.833{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F4D3-60B8-2051-00000000C401}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.833{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.833{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.833{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.833{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.833{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F4D3-60B8-2051-00000000C401}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.833{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F4D3-60B8-2051-00000000C401}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.835{D419E45B-F4D3-60B8-2051-00000000C401}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000669847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.552{D419E45B-F4D3-60B8-1F51-00000000C401}60766400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.396{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213EDF110C0A76E5B44196ADB99F38BA,SHA256=20405FC0E1054D7318BAB3DA96B68D49D1324C9765241FF6314F2C01404FC673,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.349{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F4D3-60B8-1F51-00000000C401}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.333{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.333{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.333{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.333{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.333{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F4D3-60B8-1F51-00000000C401}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.333{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F4D3-60B8-1F51-00000000C401}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.334{D419E45B-F4D3-60B8-1F51-00000000C401}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000669867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.615{D419E45B-F4D4-60B8-2151-00000000C401}4164584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.474{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F4D4-60B8-2151-00000000C401}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.474{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.474{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.474{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.474{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.474{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F4D4-60B8-2151-00000000C401}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.474{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F4D4-60B8-2151-00000000C401}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.475{D419E45B-F4D4-60B8-2151-00000000C401}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.412{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F4D5DE2A7D039F8BE1E48917C39504,SHA256=30BEFCC885D3C651C6827F6F1660876C474912A9118A07DBA8D5813A51ED1861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613596Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:16.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BEE1801B3C820C394BB7EC51FF25D9,SHA256=410C395650DEFE52996F71EF333EDA12924C38E16003B01A26C2227129ED4665,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:16.037{D419E45B-F4D3-60B8-2051-00000000C401}50963044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.771{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F4D5-60B8-2351-00000000C401}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.771{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.771{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.771{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.771{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.771{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F4D5-60B8-2351-00000000C401}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.771{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F4D5-60B8-2351-00000000C401}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.772{D419E45B-F4D5-60B8-2351-00000000C401}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.427{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070D89A70D21433768F20C6EBFD7A6AB,SHA256=F7A3D2AC680E27F8337AEF883DD03E6090FE628B85FCC368FC8A4CACE91B3831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613599Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:17.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F15572EC175EA199BCC3703983635A4,SHA256=094D838C087E330AC3C4A59360BE6914AFECA3D4D905F268C524AE38B59DE8EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.115{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F4D5-60B8-2251-00000000C401}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.099{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.099{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.099{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.099{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.099{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F4D5-60B8-2251-00000000C401}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.099{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F4D5-60B8-2251-00000000C401}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000669869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.103{D419E45B-F4D5-60B8-2251-00000000C401}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000669868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:17.099{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDBDB298441AB157E19563BAF1D935F5,SHA256=CBF152CAD8A11B7EF328C1651290AC8065926C80995BA39FC6078939597F46F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613598Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:17.189{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223D6D0A9ECF3F354F835400296CA0BC,SHA256=EEAA588FBA010CEC1F97601F3B1DB6054A41701C0596917DF3F780975B0777CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613597Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:17.189{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC5D21D9B1EDA157C5A6B1C3FD865900,SHA256=CA56A5DD9106DBD074B60168DFFB716CE4228048B6D41D12CA1C18EB32447760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:18.599{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9F380C155CD847CECB4F1AAD98DF331,SHA256=C307C6FD1EE5DD5FCD32600163C17F22D6DB6271F749969A4523294686863926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:18.599{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3297F224095CFD37855613DD4FDD157,SHA256=8E9C1A0E840418293A1CBEFF065A2B4EFAEF8542B6281F0E36FD34B6A3D45B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613601Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:18.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9EE6CBFF7F3E1CF2D82652F5648CE4,SHA256=AD885AFF67B75F176758DBE39B55C19669116A35A7D06D9EFB2CA595F60BD965,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613600Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:14.926{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50944-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613602Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:19.470{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489EE228F85A170FCFCA944D57E6D790,SHA256=884456E03972D835F22D88C969E6884D554072BC5EEA3BECA745FC89E18B407F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:19.740{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A70CEE5115348B69F43E318F34F309,SHA256=C0E9A243F794F04EDFE167804EFCFAEAF4F262363770B907272A873785B350B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:15.522{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58324-false10.0.1.12-8000- 23542300x8000000000000000669888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:19.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0C95171515BB113C21147CD8899889,SHA256=89640252BC66E92CA0BC54BFD9E109D9DFA2CF0EA935335A6F9D763A27A60CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613603Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:20.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D931D68FCBD8B2EC1B1216A569F0B58,SHA256=329A583A0A6A8B8A096FD8AE711137ABE4D6D7BAF19D05077DD64184A90EE519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:20.857{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F66787A7CA7611672886B1326B8D094B,SHA256=94BEF646CEDD018822C056B2147BD3AEA9A0577751834DD4806E9C18D281640B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:20.857{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B02B9B440FCF42B9CDD890190A7CD1,SHA256=41EEE941471AE770D8E8148477B9C9A12C1D11304FF0B0AB69CBE87692CFB5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:21.888{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFA404BDF8DC260D995D087CAE4F8F8B,SHA256=0EC6DEBE243A12DDE9463B59DA3765C43907FD659A7B3933AE7575F8F275AF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:21.872{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6B5F47CDA08FD9BAEB9E5EC4D52730,SHA256=7D70F5CE7A1204CD03E7B72C0F264AE8586219F575195698C48BF50A0DDFB9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613604Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:21.495{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCA6AA96D014702D5028D08D193BAE5,SHA256=7AB111777FA1D3A37AB870B0A5D35141BD75F4064A0EE4ACAD63E6B41DC27906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:22.888{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8AB7D511A564D0FAE3E9FE8AC85A11,SHA256=3C705DA59FF67C20A050DC6547422BADF85A6EA45F08AB326EEBC777A00B6FC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613608Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:19.967{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50945-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613607Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:22.511{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623791A968BAD4F40CCCD20D9339D7B5,SHA256=4BCD54F06ED63955E5800650D90B0F7BB5E9B00C6EA9ECE5146C8FFBDCAFAEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613606Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:22.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22177F32D74CF075854BD3E1AB771F2D,SHA256=94282A0F4922C8AEAC6EB6F0FCA671FF3234094CC6DFFF7A8EBE2D8271E594F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613605Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:22.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223D6D0A9ECF3F354F835400296CA0BC,SHA256=EEAA588FBA010CEC1F97601F3B1DB6054A41701C0596917DF3F780975B0777CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:23.935{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449276633425ABC74F118F58B556B017,SHA256=66949C1B4E2EA13F3C4FEC0657348AC7F9F7ABE64CE859272738478455A5EAD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613609Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:23.511{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A6B08F6AA7360828A26942B60D8F6B,SHA256=3355100D988AC18FE0D094191AC684B036A3DCDDF6538EF02DAFEFD86DB1BC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:23.029{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=475F97889ABE277A914E8BC5AF43A352,SHA256=BCDBFF53A69FE34113222F54BC9D6D11092D072F51A4C63B5D0FA3244D0AA6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613610Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:24.526{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3548B9A3687552E6C24CBDA6DDA81EA3,SHA256=AFC9A9505C943CD88192DF58D225463DBC5C303F741B24F2973B5AE69C4AE7A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:20.670{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58325-false10.0.1.12-8000- 23542300x8000000000000000669898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:24.169{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFBF4C64D4FF83A5B5B157989C94DBA7,SHA256=CCFB5C5A4835A5C18284A7144841332ABADB9D598CC61BA67CA0A00E9CC50796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613611Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:25.526{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CF1FDD18A35455A3BC1706EC15D1D0,SHA256=36C7E7C25168B9266DACDBC18AF9BCEF03A3B374E4D737F8625494ED93C2BB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:25.294{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A89865AF2F68E65B9700B1BC2E5B62EE,SHA256=3EB108F4200BC9F0F7FCEE0558B9B385B882EE194C10C8A25037115DB82CFA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:25.169{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDBB9FA1367F061436D3A366BCF52D4,SHA256=FEA616739D94954782AD61FC8A105B702E848D5F29B6EA98DD787E5DFD49BEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:26.513{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=900884BBE8ED899C42D3A0239C1559BE,SHA256=3CC8556AE78993460A183EF8754D9CD1D14522017A33C92EC5CCD0142A62E6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:26.169{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2276039E43261479762EC8E455C53D83,SHA256=868A74A902F72B8775CF942510D2AFAF859796D115FC4D5DB8938DBFD0CCBA8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613612Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:26.526{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A235FD96599C7087E7ABA77BC61C35,SHA256=AF35F22A89E337E73B09E2762950F1EE0B86DC401013BA6B71FE3ADB1675C77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613615Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:27.542{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFFEA8775CB43FCAF3FF98F28E591C6,SHA256=64DFE3C829EAA07905789A27CD1F7F2CF378C17DB7346B3A6A31116355698538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:27.591{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A114DA86364A922C7B521CE2A5377E53,SHA256=1375805C9BE35B85438A99B83897A4D9EE1CF3D8C830016993AD187E846F7164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:27.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397FEBFB94DFA4029643E403619E741E,SHA256=67FF8DA62457B62C4BCCB9227B6C09ADE208FEE0A921849E5BBE12DB296F1218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613614Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:27.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F26CE718D43519D3EA76947DE3FCF9,SHA256=003B76BDB51E1D0058DAB00C77FDBB07A92890C00CA09F4B01749C7012BB750E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613613Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:27.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22177F32D74CF075854BD3E1AB771F2D,SHA256=94282A0F4922C8AEAC6EB6F0FCA671FF3234094CC6DFFF7A8EBE2D8271E594F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613617Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:28.558{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3651703553E25DB29176D59845367CED,SHA256=5F0C269504EC86C824D8C9BC6110D10EBE420093DE4D22D4525976A983E13BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:28.747{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95C526378CD5743E6CC93AA16AF0FC12,SHA256=53A96D30669B405EA7E32531AE8C953AB0DDB9CBE3D22E6B79FCDCF34E7CF859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:28.232{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5F13FA4ED4EB5612DC19E5DDB02A94,SHA256=5043BEAED66F3AFF6DCAE34279BC4EDD4919FE092FC4292F5EBE9352D8D812C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613616Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:25.013{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50946-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613638Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE969816AE8AD5932317BF77B6A3D12,SHA256=5943C1A45459BA338D29F7DE6EE1178BCE7FF44491EC32E0CF68EE1726410E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:29.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028C781B14603098543A8EE3D4A68930,SHA256=7F807D2ADAD6AC7ED5B6B2C3BDD08019B85D406C7572A683E6197D9F56364929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:29.263{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2FB61783E7225B95C55B14211FADE2,SHA256=0D7984C555F3B98229B575B035045D24E0CF2BFA811F46A7ACCA73D9B0902D20,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000613637Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.183{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000613636Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.167{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613635Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.167{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613634Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.151{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613633Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.151{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613632Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.151{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-F4E1-60B8-5C5B-00000000C501}2420C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613631Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.151{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F4E1-60B8-5C5B-00000000C501}2420C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613630Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.151{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613629Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.151{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613628Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.151{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613627Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.151{97C2ED32-F4E1-60B8-5C5B-00000000C501}24203488C:\Windows\system32\conhost.exe{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613626Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.136{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-F4E1-60B8-5C5B-00000000C501}2420C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613625Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.136{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613624Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.136{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613623Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.136{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613622Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.136{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613621Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.136{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613620Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.136{97C2ED32-9D3E-60B6-7A08-00000000C501}33644428C:\Windows\system32\ServerManager.exe{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000613619Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.132{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000613618Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:29.089{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=2339A37F2F63B650E3C924943DB9C592,SHA256=F105A8F45C7C049A638E5680195F55F411E516E02E77AAD747B5F93542CC1276,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613653Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:28.030{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50947-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000613652Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:28.030{97C2ED32-F4E1-60B8-5B5B-00000000C501}2868<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50947-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000613651Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BA076170082253419BD9126877F354,SHA256=E9B5203E4BF42B9938B1F51E3BB128DDC0A7E896AE730CFE705F22947A2D9D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:30.279{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A3537FFD54C551173B76057E951637,SHA256=7E7D0234E6377573021ADA12915E38FA4D4AADEE5FF187AED3859C8856280AE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613650Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613649Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613648Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613647Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613646Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613645Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613644Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613643Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613642Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000613641Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.152{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F26CE718D43519D3EA76947DE3FCF9,SHA256=003B76BDB51E1D0058DAB00C77FDBB07A92890C00CA09F4B01749C7012BB750E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613640Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.152{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=44FCEDE192B37DA0A318B267AD2230A8,SHA256=E253D489154AA1826D3C85A2E0EC3406F6398695B3D27008DD976C2000B33471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613639Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.152{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=84306D602CD1636EEC6427CB3DB90533,SHA256=7D9AC327ADD12F74018CB05A4163C52DB1D22F218BF5CE49BFC300E370D55C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613654Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:31.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033C3728FBF4C0C836F6B1725BF619AF,SHA256=FD20A5419A8A4C91B074F75C0A5DC2EF1CB4B1A3FA2EBED0341031AA5033B28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:31.451{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B4C51638C847EADD2045C518E102289,SHA256=FD38D55874C6D48C963AAF4A7971DB670736D46A42343FE4D841202B14A46C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:31.310{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317A6331E592E665A1EFCE2457CBEB7F,SHA256=715EEEC4C513A95884938F6CBD125999FB5F7EE5C8CEA6907EA6FDDDD12857DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:26.717{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58326-false10.0.1.12-8000- 23542300x8000000000000000613656Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:32.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC38E6B6771B43C95F85EEE70B09B67,SHA256=CEFEFC1D5E62957854DC1C51DEF48FDC7A2DC97A30D6D96035CABE3B1C1D8B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:32.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CCAF7D28666277D01E1CFA293C1FD12,SHA256=C92407B8DB6CC6FE24AA098415FEAE9560C21B1BDBF5D8D66720B94744172302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:32.326{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD20A34B221538EBDD2CEC45DE2C5AB,SHA256=10C6489DB65CF658F0F27A93D705C1C85F8A91A60B6F92ECBB76CE5E85919284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613655Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:32.433{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4DF3271010924CE3213AED2B4DF9188,SHA256=DD776DA66457931B5F17ABD6A66096F8767B3E5883A1008932CB328C91649DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:32.294{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D611AEE981460D1888726BAA4D379461,SHA256=CABE9880956596567BC20EB9731D5ED3B3FCD11CD694BC83E06014FB64A8E543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613658Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:33.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9456CB8E90A4D31439D3B4956584E5A0,SHA256=1413799EB71F1581716312DCB2DE8B1EE0588CBA25AA015872E45AD5740711AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:33.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D250CA06F3BD6663A4291B68D73981A3,SHA256=03A19A49B1B17C951094E569C3E8E8D1A12A88641151C2DDB090F522E118AE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:33.341{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6C0C676D5F9DC8E687F1707AE30076,SHA256=CD2585A43DE222900514F0C56BD22D5FC8D1E436999F571DA273C0196B0A76E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613657Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:30.044{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50948-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613659Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:34.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B40B069366CDA27B3628EAA2C675ED,SHA256=ACB556961EDC4DA15561229D29830283F416F0DCF14BF685CBD0B5025D232C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:34.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D561D00D56B38195909390BCF3EB53FA,SHA256=478314DA186D25AE052568B98A37852D8B23ABDCAAE22E0443983B2DEB7F6AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:34.372{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D00E480D0F9715FAAD6AF68B86F105,SHA256=1171CE9D66920CAD45F5140A4FD08E05FA65BD4571FBAB3445AB6F14CA660297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613660Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:35.605{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE675B454B1E05DC7EFA67A415977B8,SHA256=313CFD8249AF00FF62FB8FB068FC82976EECE4765289DC32A32BD3150349FEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:35.388{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8371A46F6732DAA5B86ECE8D719F256D,SHA256=705C36D5289D18AE39D2BF8EA6DF25A108A0C75073E91C47F519C46C3A336C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613661Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:36.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF73B4E4E44D910EE95FCF78B22B05F5,SHA256=2EDFB54087631C590E8EE889A8FA4745835EB7554F90221EDA549491C9D6D9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:36.622{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371023DCB6A4CC3DF7861ABD25A1FBCE,SHA256=C4469D557A71179C2F6FB3DF2973EAAD1EB846719CD78C24EF71959237E27FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:36.122{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8F19E15919FDE84CFD20B3EF4C35CB,SHA256=251AAF3D6A020A9DEC23DA108D9D2F71E2BFA5EFC193258BABC426C058D89DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:37.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CECDA7888F18AECF79E0A876899991D6,SHA256=BE1B6060647F976F8C6EA9E2F0DA3073648E1EF7D49A38722F0321C2761FE6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:37.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37A7173C858EA1235A872A39EC620F2,SHA256=067F2E83D3BA9DAA1328A6F5EC9A0995BBC61F4433A8A09E261111400316CBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613662Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:37.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5964ECF40456042B700A2007F984B7E0,SHA256=4A53F7901F819322740DE38DEDB3E416430728282B26249551D957F714682BAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:32.717{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58327-false10.0.1.12-8000- 23542300x8000000000000000669928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:38.810{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AE7431C277EF1C17344824BC01B1BDA,SHA256=97B68F4A5D01F2438DDD759D71546B3F8203099F7B571521B0A76880287241D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:38.794{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD06D68F1823E17E5F5F57AED18967C0,SHA256=EBB8374C793EA52940234D09118346753EFD2E72A39E5534A760B1A43EBB9B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613665Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:38.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78EE8307F359E9E63247FC028BF084E,SHA256=489F86F56BC8E0F48752FD2572D83FEBE12FFDF183732E3D2BFD868FDD501574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613664Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:38.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A710223F3108D1E4262B45B85742E3A9,SHA256=CFB4272D4F3F69098EDF0DB9A6B74531AEFCD77760C798597EEF05E999A763D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613663Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:38.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=814562FEA979E6A8F5A810FC8F334195,SHA256=FED4E69ECED60A95426AE8DDB7CB1D2B3F7618D966896933E54A7EC43333E6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:39.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC15EADA017DACCF27D38D918E5867B6,SHA256=86F1D77DD580590F71DDC539E169889C2F14BC21689931ED26E149DA710D5667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:39.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B911D7EAB8340C99129C3B2088CCCD8D,SHA256=AC8AE229591F254EBC7243190409900AAE77153FB882695D39DAB8F424650B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613667Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:39.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D01D76D8319B3B3D0E526E302A90CD,SHA256=C74ADFBE804A4AEBE606FEBDD0A5E71AE5BC9EC440932A0A1BE8B705042D2183,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613666Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:35.919{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50949-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000669931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:40.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290A866D32CB98EB4AB44811087F1187,SHA256=7E7D59F2E970A66A5003CE1D0A1D979375492A91E748BF30718664FCB6F81714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613668Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:40.621{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071FDD4B747FB992A0F055DAECA6EAD3,SHA256=E22E95A6D3EAA22206F44BB5CB829045180B3213653D07197BA72DAF5AC3C5DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:41.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3438839B00A4473D41169FA59EC8FF26,SHA256=19168DA2AC1283B5B09FFA513D5939D849411D3114BD4FC7060A5E8C92FB42A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613669Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:41.621{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02323B2F4828393AB2DB80EF403AC8A5,SHA256=F395A6DB2F44214485C1E0C43855AE5EF3F0C90D4D058912A123E6435B5AE5DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:41.107{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1103F867B92F510B1188BD6CE99D02E1,SHA256=C6C99ACCC546303B63DF99D24317A4400F6B211D7E201B02E5573B7A7821BA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:42.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A56CAE152B3834F89D122BFBA1F4FF,SHA256=D409BCCF14411C58F1577C907061550B88BC67F65A4BEDC9A044EE0231DB7C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613670Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:42.637{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16076A7072E2679DA9C5F08BE74F6E18,SHA256=768C8FDDE031AC7B11FE98F7BEFA18E536CD11961563133BE322625E78721EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:42.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=458F6401EB5E33AB2B615550AC04A7B8,SHA256=8ACC7E555255EE2FB68042E3F9E710AD61FB6539D8A0E82F98F8CD0E860D6284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:43.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BFACF34B22096CA50949B63B223230,SHA256=CFCCAAC0A3652DEDACB3D6DF182783E18BF3286E9F86B8EE0F95DDC9B22DA5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613673Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:43.637{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D12D678608EC0BC836F5769A42B4B69,SHA256=85CB5D5A6EBC134FEC13DA1C9200A731C5D29B1D026B2FE3AF65CF3B4985FBBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:38.623{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58328-false10.0.1.12-8000- 23542300x8000000000000000669936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:43.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EF96BBFE7730B7112DC2F9C1BCD9FB3,SHA256=5748C117A5C8208475969A2EC28BE3DBDD1D242A9E544492E0EDEDBA704957E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613672Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:43.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390FDCFCE48C9458EEF344AD5302267E,SHA256=2D9ED47C4F03A92E9122EF40CB4A5C1FB71F6A7446ED4828A661D0FA30B313DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613671Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:43.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A710223F3108D1E4262B45B85742E3A9,SHA256=CFB4272D4F3F69098EDF0DB9A6B74531AEFCD77760C798597EEF05E999A763D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:44.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A2CD62A33BA7592E98A5FE2EA39A35,SHA256=ACF3C3783FE5A8CC97D16B4ABA5E138AD480A9F06B67ECC3AD09995C8DD5CD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613675Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:44.637{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD70AE6663116B5AD9E6FA464A05D69,SHA256=EE322A0ADD6DB8A30B3FBA03D4A32106AB277D9D740EBEE8677E922E76E6EA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:44.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25861F91EC2A05DB5AD4CC84A0F707A5,SHA256=93F65F631F9A31782B7E4B22FFD0110D6BAE4411E612C1A4975569AC4E4017E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613674Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:40.999{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50950-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000669941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:45.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613F9B4A8438673FEE4D8B2581A6B3F1,SHA256=7B2B640AE92FF1EDF7171D4BE8531B1838D872B4B99AC1768A2F18EA33B15F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613676Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:45.637{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42505BF0966C8938C95ACEF0EFA06BF,SHA256=A11D5C75F3C3587FE844A59CD9B796335CAA62CCED978FADFB9E55838B6C8369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:46.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FA3C85CB6C406288E4627874176FD6,SHA256=5422D815BBDA6CD3738D9276343E413C652B3F73161F9A4B9A361E9B48F6E863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613677Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:46.637{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606EC9BF440077DB92A0BC2468A73C5A,SHA256=9CE76E04BEE66FC1577BBCFA320FC21A8409B573FAFA7AA27582A6966FCD336C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:46.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B4C6C7C11EBDA9560F2F9A39CCC5E12,SHA256=3AD92303471F07A78227C7B26DF00AD36305CD0E36507DF4FB7A5E5681879CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613678Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:47.683{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39634E73C94053534351C3A05E976D54,SHA256=18E5427EFC3D179862605BF49ADCCD6C2D53E8B1D8B93188C22F1CA54B19FA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:47.232{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32385CADBD018A4FB109A7443B321731,SHA256=508E2F92759DFA29264C899884EF4FC1A8A3D4ABA73852EACE3E834866E92FE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613688Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.918{97C2ED32-F4F4-60B8-5D5B-00000000C501}2572860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613687Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.730{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4F4-60B8-5D5B-00000000C501}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613686Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.730{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613685Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.730{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613684Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.730{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613683Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.730{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613682Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.730{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F4F4-60B8-5D5B-00000000C501}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613681Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.730{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4F4-60B8-5D5B-00000000C501}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613680Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.731{97C2ED32-F4F4-60B8-5D5B-00000000C501}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613679Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:48.683{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AE7F37634548155302DEC70B9A3D6E,SHA256=7896D3281D5664A828258E7137C231495B007C4010D58D8117FD5F9652729B7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:44.608{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58329-false10.0.1.12-8000- 23542300x8000000000000000669946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:48.373{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E723B8DAFD9E31420450D66B23853E7D,SHA256=4A93BB2A6D881069BDE2D45FAE0D0F5673CC18EBF90C89F559CAE62FF5481182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:48.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17E707560E4FD34CB818A52F79C7A98,SHA256=329839B42B48C485F9E7D64E2478C3998C96C1D23427A22D1895A4EBC7463A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613709Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.918{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4F5-60B8-5F5B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613708Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.918{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613707Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.918{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613706Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.918{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613705Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.918{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613704Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.918{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F4F5-60B8-5F5B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613703Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.918{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4F5-60B8-5F5B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613702Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.919{97C2ED32-F4F5-60B8-5F5B-00000000C501}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613701Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.699{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199167AE772F98B5CD0BE7614228D92E,SHA256=EAB9F655C0C7952EB45FD25637183D77A9C234FEC5306FAEED61F10A8BEF251E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:49.545{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE205113820E4E99785214D97923D9A,SHA256=A8A230A34AEBA2F6B5938DDD39B7F201714093AF198890F998953EA5A27A715E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:49.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F8A13915C7A6201CBCC6026DB01269,SHA256=FF64BB70F01BB9E5F4E33832564ED96B768B347597315BE711EC4B69DF938644,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613700Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.433{97C2ED32-F4F5-60B8-5E5B-00000000C501}11084980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000613699Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:46.920{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50951-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000613698Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.293{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4F5-60B8-5E5B-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613697Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.293{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613696Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.293{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613695Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.293{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613694Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.293{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613693Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.293{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F4F5-60B8-5E5B-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613692Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.293{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4F5-60B8-5E5B-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613691Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.294{97C2ED32-F4F5-60B8-5E5B-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613690Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F0989FDD45BA8B7E236426870A4469,SHA256=F17E7B34A090725591C52EA0B6A6920BB903058FAFE975BC04C346BFA18251C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613689Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:49.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390FDCFCE48C9458EEF344AD5302267E,SHA256=2D9ED47C4F03A92E9122EF40CB4A5C1FB71F6A7446ED4828A661D0FA30B313DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613720Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.730{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815232BB4F959689FAE1142D52284046,SHA256=01BC55265EB06ECD86A0DB19142D2C3D05672CD6947D52636C0FCD47EC68DA8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:50.670{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F97B42B76B11C52537097DA998C745C3,SHA256=5E26CD6500122CFF25A1679624AEBE42521DB3082EC792EA5731AF9142C7F29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:50.232{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980C88B0CD3272097739362550E6354D,SHA256=AFB0E67B191444BC8A183D64582AA6FFC57E56B20C42F73EA196AB58C765E9CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613719Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.543{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4F6-60B8-605B-00000000C501}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613718Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.543{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613717Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.543{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613716Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.543{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613715Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.543{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613714Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.543{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F4F6-60B8-605B-00000000C501}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613713Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.543{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4F6-60B8-605B-00000000C501}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613712Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.544{97C2ED32-F4F6-60B8-605B-00000000C501}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613711Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.308{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F0989FDD45BA8B7E236426870A4469,SHA256=F17E7B34A090725591C52EA0B6A6920BB903058FAFE975BC04C346BFA18251C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613710Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:50.043{97C2ED32-F4F5-60B8-5F5B-00000000C501}49365112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613738Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.887{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4F7-60B8-625B-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613737Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.887{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613736Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.887{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613735Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.887{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613734Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.887{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613733Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.887{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F4F7-60B8-625B-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613732Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.887{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4F7-60B8-625B-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613731Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.887{97C2ED32-F4F7-60B8-625B-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613730Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.746{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BB2698D6F53620C151A7DA107582D3,SHA256=7B94BE24FF9A587E54EB7AC8247EA04D37484B54C2302297F2CF6B856F524EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:51.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA6C6588CE12AE72CAFAD1BFF4C2A4A1,SHA256=6EFD8EB612FF08F5FEBF6546881EF8DC9782C7FF1C4803DAC9C11D0AFBF6E228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:51.263{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E04102A3CC393628BF5A3584FC59A7,SHA256=05E2FE8C3416F7287C1C075B738A310CD535C520AF82B984018B8F728FFF893F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613729Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.590{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=796FA82297E789E730A65409E61C2145,SHA256=2F6FFBB102B692FE896BEED77D0C4B9E056B77CC35383754099E9B8B68240919,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613728Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.215{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4F7-60B8-615B-00000000C501}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613727Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.215{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613726Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.215{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613725Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.215{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613724Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.215{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613723Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.215{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F4F7-60B8-615B-00000000C501}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613722Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.215{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4F7-60B8-615B-00000000C501}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613721Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:51.215{97C2ED32-F4F7-60B8-615B-00000000C501}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613749Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.902{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4001D7A0D6C9FC5534C1906F6721ACE,SHA256=C6018051CB1C080C7BA5BC6A3F59342805F612778CCA6652B0659DA60945A5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613748Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.777{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E285DB3999EDDEF9414D7FD6631848C,SHA256=6808D3550890ED619F84EAC76351212BDC084876C9275BF71644DC10D24D35FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:52.263{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB89466F92D58915B86D085E6484F65F,SHA256=608403764D89482672A9F3C6A9041681732703AAAE9D5BC8077FFF2619DA5EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613747Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.699{97C2ED32-F4F8-60B8-635B-00000000C501}38844016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613746Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.558{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F4F8-60B8-635B-00000000C501}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613745Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.558{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613744Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.558{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613743Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.558{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613742Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.558{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613741Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.558{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F4F8-60B8-635B-00000000C501}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613740Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.558{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F4F8-60B8-635B-00000000C501}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613739Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.559{97C2ED32-F4F8-60B8-635B-00000000C501}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613750Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:53.793{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916087C7676580DDD3AAF19A55D11D69,SHA256=2F24C46F7DDEE18945192CF188AE2F3CF519E14790E1057371ADA307B60F538D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.279{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCECA01BD37B6D8083117955412320D8,SHA256=ECD70400C30EBDF3DEFB421EFF7FE52F6C02E7B60E895EE097DA16866B17FDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.154{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3134FAD4C750F25C4AA65C740F5E3090,SHA256=91308FD087E29CAB838361BAE485F8B94AAE57F7A8942A68869228733998FEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613751Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:54.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF98EBF652E6B0A7F2EAF50FCFAA791,SHA256=B29876AAD25A6D16565D47E90AABDABB93501F5904BE1D6574B24846923B3D51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000669959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:50.499{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58330-false10.0.1.12-8000- 23542300x8000000000000000669958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:54.435{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DA18613B4A674459B899440E93FDF10,SHA256=805F9F8D06A5FAC00E1D203F79ECFDBE3A8A532BA371D3148A33D17C670EF8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:54.295{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAE23B46F6D5FE28FEF739BBF8B27D9,SHA256=D40F5ABDA7ECB9639815FD7E446B9661437B5D0506291D4952894C6A54589FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613754Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:55.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA03B63653A029515EAC30AEF7DD755E,SHA256=C6F275734F92BB44EE68EFF27F92FCE5AEBE85F87C1BD253254D47ED89F2C28C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:55.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6FCA57764261DDFAD3327CA6AE52657,SHA256=7B6F56A9E6ABC9004C18E4AC8689AE1921FE61F8D80F5E12FF6A1E6D745D9057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:55.326{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A17643F91EBE5A851868DDF36D00A6,SHA256=A87A7D312038A9C58D05A8D07FAD61EF3DE0EAC620FFB458857F38677EAFD68C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613753Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:52.920{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50952-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613752Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:55.105{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91C561869303C621C30F17B87F1DB649,SHA256=C80657DA2EC90E02FB12A617D0404A32366ACC9EC6705EBC16888C60BC81CD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613756Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:56.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C37AFA092D0AA10CBE63B4FBF6CFB7,SHA256=610264491EF5459D309678DE2B0A20E94E91D5AC59AA531B18729C7B970D4CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.842{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECEA652C2F636982A79F1B8F2F72CFC,SHA256=EEBADC73F2BEF86D17285F9DACF96EA021425ECD812998473281748B5E13E5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.842{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45767EA0D2D371EA850FB8883021B4E4,SHA256=E6F13969DF17C9B948565EB4C099075600A8660471A5F74291ADDFB6A832F6CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000669996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.607{D419E45B-752F-60B6-0D00-00000000C401}9046712C:\Windows\system32\svchost.exe{D419E45B-78A3-60B6-B402-00000000C401}4592C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000669995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.357{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADDFC1C8F0FF1A22DB23CADF6263164,SHA256=05538D70A9075B0DCF9F3303779D0E42748877E42EE472C48C5BE7A101EE9A20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613755Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:56.590{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-C506-00000000C501}4092C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000669994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:27:56.310{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeC:\Temp\BIT4665.tmp2021-06-03 15:27:56.310 23542300x8000000000000000669993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.310{D419E45B-7530-60B6-1600-00000000C401}1268NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Temp\BIT4665.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000669992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:27:56.310{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeC:\Temp\BIT4665.tmp2021-06-03 15:27:56.310 10341000x8000000000000000669991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.310{D419E45B-7530-60B6-1600-00000000C401}12685808C:\Windows\System32\svchost.exe{D419E45B-F4FC-60B8-2451-00000000C401}3912C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x8000000000000000669990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.295{D419E45B-752F-60B6-1200-00000000C401}4801952C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000669989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.279{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.279{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.263{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000669986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.217{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000669985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.170{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000669974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:27:56.123{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITSdf679cbd-1890-4f4b-a958-588d197f014f 10341000x8000000000000000669973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.107{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F4FC-60B8-2451-00000000C401}3912C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-7530-60B6-1600-00000000C401}1268432C:\Windows\System32\svchost.exe{D419E45B-F4FC-60B8-2451-00000000C401}3912C:\Windows\system32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-F4FC-60B8-2451-00000000C401}3912C:\Windows\system32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-752F-60B6-1400-00000000C401}1100524C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-F4FC-60B8-2451-00000000C401}3912C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-F4FC-60B8-2451-00000000C401}3912C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000669963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.092{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-F4FC-60B8-2451-00000000C401}3912C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000669962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.072{D419E45B-F4FC-60B8-2451-00000000C401}3912C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer myDownloadJob /download /priority normal https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe c:\temp\winrar.exeC:\temp\victim-files\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000613757Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:57.809{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4299AE5E3E470446E923AAEC01072A5A,SHA256=EC79BB4465E385346FE6BBBFF01A9770F549B940596B1E53D4724C85F04C4CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:57.389{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D77637A5C26D0D22EB121207DD3234,SHA256=2DBCE6F50CCBE50B7416715ED056D62D43AD3C8356311EB9E489065905C892E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.723{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58332-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local47001- 354300x8000000000000000670008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.723{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58332-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local47001- 354300x8000000000000000670007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.683{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58331-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local47001- 354300x8000000000000000670006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.683{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58331-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local47001- 11241100x8000000000000000670005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:27:57.201{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeC:\Temp\BIT4665.tmp2021-06-03 15:27:56.310 23542300x8000000000000000670004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:57.201{D419E45B-7530-60B6-1600-00000000C401}1268NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Temp\BIT4665.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:57.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0E6CDC5F4CAA64998B505E25EB353EA9,SHA256=7CDEDE892CD970FE7020E523CAF3C6A697190BF37B24E193B37E91FB492ECA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:57.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DD242C8514CCB46210B3BF6CF6884FA6,SHA256=426E8417D581151BD6FF8C0E61EF4D7964BDA6E48B8497ABD24514B7525751B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:57.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C86D10F9A1AF41D470796FF30507915,SHA256=A498487C517AB3677B61BF2B7A45649E166FECA25DB49E6DCD7E336E3F21C520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:57.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=89EEFCBC448A1EAC89033FC279472D2D,SHA256=98135C12F0DC18C7D553A2C8878671DA05E6491DF3E643512F9DC96BA017841F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000669999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:57.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C223605786BE7AE9CF22DB082A7555D8,SHA256=9743A5A00AF41D742130A9E0E3EA9BD1C297EDE877DE1D13886628FAE7FC9441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613758Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:58.871{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12C74947439E0D812B6F36C0855C6C5,SHA256=B9C9C76AA8B8E94C533707925127B2090451D81D1A15CEDD5998F8E970E58BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:58.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87E6AB9E3F8EB9A81218D217B2F4984,SHA256=5CEBDD80047930FBCC1ADC0AB90B96312C3A871466573BEB6E5EBD9858513904,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000670015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:54.655{D419E45B-7530-60B6-1600-00000000C401}1268www.win-rar.com0type: 5 win-rar.com;::ffff:51.195.68.163;C:\Windows\System32\svchost.exe 354300x8000000000000000670014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.810{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55490- 354300x8000000000000000670013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.790{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local55490- 354300x8000000000000000670012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:53.790{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local55490-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domain 23542300x8000000000000000670011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:58.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98441C17D6B00114C9C0A6B62A886744,SHA256=8FD8AC7C9382C3CA0A5C58EAACD9FD5F86C91C63480D9F67C68169909F2D3425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613760Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:59.876{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6FA428081EC81B61D78879354A876C,SHA256=F3700B2B08B7A9BC53E978759409DDCA7AB4E595291E4150919ABF0D5C02DD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:59.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBA006CC64F0224C6F151C5A37810CC,SHA256=991316E9CC80ED87B9D857C69D5F22AFF25B688E24356040D7A1D488215F0863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613759Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:59.402{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:59.295{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6418D77D3C870A7BDBE740573ED7038C,SHA256=E9208218FFD1EBAAE20B3FC0E7399A9D3F16FBFC6F00203B04E63C6430B6A1E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:54.119{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58333-false51.195.68.163-443https 23542300x8000000000000000613764Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:00.891{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20615ED5EC6655EBC81D063D002FA5D0,SHA256=F2463AE7CD4D20C039D9CF4036AE27888971C32EB3930A3E79EC6026CED17617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:00.424{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0D94715D36CEA3743AB933BAA4B89,SHA256=F9BB0955FBD731B4796C74C650A14CEA63134CC6F59D1893519FF39FDBFEC067,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613763Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:58.014{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50953-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613762Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:00.173{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72BDBFC5487E678CE9700A4DF8485FAE,SHA256=2ABC1C9AE3C65E19FC9139BDAB74AACCCF10330805FCD84D337E5C48A0D95DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613761Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:00.173{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC17C9BDA6E1A6FFEC5431F61EBB50E2,SHA256=819992EE5A2FE67D62F012AEF9630B48F4BFA419B9B89970E103C41E173DBB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:00.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64508E739EB5020DFB4FCCD24D6480E5,SHA256=0D5EB0396FFFB277C7D8C7E405E1AED87EEACEA5E0EDDC14D986605B4778DCA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:55.686{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58334-false10.0.1.12-8000- 23542300x8000000000000000613766Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:01.923{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685FF1555AF99D46E51BA376A06CB732,SHA256=19B88712ED3DF725547079771849C01A855BD58BD2F7792C99EE65771AED0D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:01.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=532029E61F5B4D6A59BF849165C5EFBB,SHA256=918ABE7D48E27C619D036EDEE9845EE0B7B10D2E2D36124B12AF9E19D43CC0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:01.424{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8354DB9576DE9A2ECF14D84BCB0936B4,SHA256=44B5214587CD0089CDB0844AC8ABFDB8F0BDB27F2A7F92ADFFF5F5301E48B283,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613765Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:27:58.233{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50954-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000670024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.466{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56745- 354300x8000000000000000670023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:56.436{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local56745- 23542300x8000000000000000613768Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:02.938{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFC6F38379CC1F3E79947A699062714,SHA256=A67089E85F0A742705C6587DE7AC5E97B86B345F229B32843056179A109A776E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:02.737{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE641F8B8A2562CD773ABF2C068C345D,SHA256=8F7BDB232E314161774429BDEB55F8FBCB834C8ECCD99814324543BEBB0177E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:02.503{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BE3ED920BFBBE4C480102C7E23BE17,SHA256=45E814E68F75999251B4423D74B3AC23005FF5154AEA1616066546C602D4F66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613767Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:02.469{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=593ACF0ADB0ACA326CB8CC4C6A14DE32,SHA256=6DCE4223D7F4F8D7CD5C33C0438DBD7A046B656454DE35589628A303F2C2A03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:02.393{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613769Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:03.938{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92720A13FCD913A64F60EEEC183C0F9D,SHA256=87AF131F6AA25E9E88ED55173586E4F1841264F49E221D801C21D5D74D682417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:03.862{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9574000AE07996D48DC857B99287CAAE,SHA256=8E2D1B4321529CB6EA028F8409DB894AB01AE8F5A791EDE3983970478FDCB571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:03.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD1E151F427E596A52ED2CDC505F315,SHA256=89F3252B7F1A06C2AE22D495B67C6315DD60341EE78891775C5D687637726C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613770Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:04.954{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9340C7CDF3836960C21713494F70ADB8,SHA256=83DD9E1B851676D7E1C2564AF5E1B14F5C0E846A9A12C222F9EE2F7A19CB8165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:04.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AC9718CBA8308992F17312F0F01398,SHA256=7BC673F0BED478E13902A0FB83A85634CF445A0F2C49040C3339DC4EE0B9A4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613771Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:05.969{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65853408B554BBF006DFFBE6130D39BA,SHA256=AC7D1D04FCFE4CABDBFD2D2BEA7479A7ADB0A6D73903BB430073770D70EF0A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:05.549{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADB8287DCC4E0948660E456D82D5007,SHA256=284976B735080D7495A4DD14CAC5F983D0198509E7A7D62AB771A94E25ED4BE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:27:59.831{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58335-false10.0.1.12-8089- 23542300x8000000000000000670033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:05.018{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF90E533A82231855363AB6FA14757A,SHA256=80376537393CA9635DCCA4DA7A50AEAFCD191882793398A96F23649A7D52F09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613775Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:06.986{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65563A409F231E468AC07683D10AABD8,SHA256=72BEB6702D6CD307495171CE447D4F66B00BC4B9899649B3D23F36853E0763C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:06.549{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A74C7F9C6725F57ADC5CEA15298604D,SHA256=F5B64367A1CBF8978970C2B322F79EF8029D5EE12EA6959D62A1F5E9B54F575F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613774Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:04.034{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50955-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613773Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:06.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F4D6EF03121D0086219DB2386F5D13,SHA256=D1FB7FC4157F9405547F2FFEC25131E34279136D53CE226108491AAFFEC597A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613772Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:06.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72BDBFC5487E678CE9700A4DF8485FAE,SHA256=2ABC1C9AE3C65E19FC9139BDAB74AACCCF10330805FCD84D337E5C48A0D95DCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:02.550{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58337-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000670038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:02.550{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58337-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000670037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:01.659{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58336-false10.0.1.12-8000- 23542300x8000000000000000670036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:06.159{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C600A0E5CEBB3596BB01ECEF7EB69210,SHA256=A4590F17412FDBF47C1B376B7FE392E93BE4B779AF20423E38841FD826083601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:07.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB2BB173F17A31DE35807F8650ED3C8,SHA256=CA545E99D5DFEA398EA12258D4C196658D049E38DFD5D19F7149B2E8B690BD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:07.252{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=693A2BEAA93B1498A4FA02248A80CABB,SHA256=0E7655E7AE33783CA09273E9045D6963140BDF3248167F1EDC7C682AA5FA6389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:08.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B668BE15483D7D01DE91DAE09A58FCE,SHA256=5289BDDF3623CCA9E49EEC40F5BC89433F5EBFA7E999E014FC429A04B01D253B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613776Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:08.014{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B020DA5673B82C8C57077755AD43407,SHA256=A575DBF618C0B3B7A65D6D05A703B5ED8428E5277726730FEB06A3F36F31F62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:08.377{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A7A530CC33C8F3C9359E5CBFBB8E165,SHA256=EEE87A7BA73CC1FBA7B29EC3F149B008767BD3DFE71D4394EA75DB5A0678BB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B6C749D9D9BD40DBE90FA9EAE0DA9CB,SHA256=FA0686805C9AA1BED0ED61D93961E197343BA9658944BC576E5A225CA018ABF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89866C8E4AC06F8F59B6475D44A8F2EE,SHA256=3B1BA226F10FE41E10085BA174651C0EC20E3ED0085BD0E1A2E5B7735B03C670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613777Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:09.016{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C030B717397089AAF7525BF81617FEC,SHA256=9E6200379F16D707BF7EB1A3E149F5C12D4C48259AEE7EE504A9A7D648FF1458,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:04.941{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58338-false51.195.68.163www.win-rar.com443https 10341000x8000000000000000670063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:10.766{D419E45B-7530-60B6-1600-00000000C401}1268880C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:10.766{D419E45B-7530-60B6-1600-00000000C401}1268880C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:10.710{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000670060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:10.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5266A6EB7240548F4D5B2BD48EEFC7C,SHA256=87153EF80F1D20879FFABD8DE4DF8BA8DB83C727E447E0E3D097A0932FFCC517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613778Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:10.016{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1232EDD04680140F1ABB0EDE0F2E769B,SHA256=0D3FA444F3530CAD4D8942760054C3A924A87117B3156ACD88E3E2E83AB169BA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000670059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000670058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000670057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000670056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\LeaseTerminatesTimeDWORD (0x60b9031a) 13241300x8000000000000000670055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\T2DWORD (0x60b90158) 13241300x8000000000000000670054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\T1DWORD (0x60b8fc12) 13241300x8000000000000000670053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\LeaseObtainedTimeDWORD (0x60b8f50a) 13241300x8000000000000000670052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\LeaseDWORD (0x00000e10) 13241300x8000000000000000670051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpServer10.0.1.1 13241300x8000000000000000670050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000670049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpIPAddress10.0.1.14 13241300x8000000000000000670048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:10.426{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000670067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:11.688{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4A39FBB3BB003406508C40BB3FE0D9,SHA256=DD1EB5297B210B4E2B731E917B591CBBE2D59E763F8FDE47C37A34357A706A9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:07.879{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-233.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 10341000x8000000000000000613806Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613805Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613804Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613803Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613802Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613801Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613800Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613799Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613798Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613797Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613796Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613795Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613794Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613793Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613792Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613791Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613790Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613789Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613788Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613787Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613786Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613785Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613784Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613783Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613782Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613781Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613780Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.110{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000613779Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:11.047{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F809CE474114962EF63BB7C07C1F423,SHA256=5EF5542ABE1DEAE572BA9670792E909176AD028CB86C1F533393659A5818B2E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:07.645{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local58339-false10.0.1.12-8000- 23542300x8000000000000000670064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:11.125{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=650CF96314C84B64E839C6F33C926CEB,SHA256=AB8C26C7A6E615C8C854BF23198FFEF45C22450AE014D6C3B522A62A0B9AB97D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613810Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:09.925{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50956-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613809Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:12.547{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A747815BEE19D800015E36371130D7DE,SHA256=71AC78C2037025A38D7ADD6753E070FE152F139981F893A8B7A80E2996728FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613808Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:12.547{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130AB3B652E11B7AE67019A93F13FC55,SHA256=E1B01BBDD94DDA70EBC2AFDE1B58351F886D3D44D1BCBFE170F9ACFA3A19D832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613807Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:12.547{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F4D6EF03121D0086219DB2386F5D13,SHA256=D1FB7FC4157F9405547F2FFEC25131E34279136D53CE226108491AAFFEC597A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:12.692{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983D52F7A74AE1B693CD30C23707307C,SHA256=C836AF2C9B7050AD283A36CCF0B5BCD85B0F53D07A53B4180AF4E541BB9504DA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000670086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000670085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000670084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000670083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\FlagsDWORD (0x00000002) 13241300x8000000000000000670082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\TtlDWORD (0x000004b0) 13241300x8000000000000000670081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\SentPriUpdateToIpBinary Data 13241300x8000000000000000670080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\SentUpdateToIpBinary Data 13241300x8000000000000000670079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\DnsServersBinary Data 13241300x8000000000000000670078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\HostAddrsBinary Data 354300x8000000000000000670077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:08.161{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58340-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000670076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:08.161{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local58340-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000670075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:07.884{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:98c0:9fa9:a8a:ffff-65505-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000670074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:07.884{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65505-trueff02:0:0:0:0:0:1:3-5355llmnr 13241300x8000000000000000670073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\PrimaryDomainNameattackrange.local 13241300x8000000000000000670072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\AdapterDomainName(Empty) 13241300x8000000000000000670071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\Hostnamewin-dc-233 10341000x8000000000000000670070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:12.443{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000670069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:12.443{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000670068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:12.114{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C487D7B1E084E1DAC32B2E367384995,SHA256=DE25550DF0B3CE2D15DB59D5C1C65872A7CFF4F3D9CFB3C3553F6F3FB2A4978E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:13.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D3397DDBBFA0165865FED9CFB7E0E8,SHA256=0F0D5B1FACA4733C405E3A15543E1003739A1CD073A7CAB033C9E69130E52725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:13.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25AD587E014CDC7D107E8C0BD0F47D9,SHA256=F3026C519613B0316B08FAD3E92DB5D14A5E7DEDD06BFA241700B5C6705CB713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613811Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:13.766{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C808AA794E101D77E5A34BAD45BD150,SHA256=8AC44E72239B65666D1423D443B79B7E77EA98712EFC64CEFB7679D9DE94BB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613812Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:14.766{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FEE26F2F54A46D83DCF028E38E3D7C,SHA256=0405C216E75DFBC55088C96590C6131DE6DFC105F43FA9E2B2B7923C0FF4D7F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.770{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F50E-60B8-2651-00000000C401}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.770{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.770{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.770{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.770{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.770{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F50E-60B8-2651-00000000C401}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.770{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F50E-60B8-2651-00000000C401}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.771{D419E45B-F50E-60B8-2651-00000000C401}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000670113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.348{D419E45B-F50E-60B8-2551-00000000C401}51005588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000670112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.911{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local57393-false10.0.1.14win-dc-233.attackrange.local53domain 354300x8000000000000000670111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.911{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.14win-dc-233.attackrange.local57393- 354300x8000000000000000670110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.911{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98c0:9fa9:a8a:ffff-57393-truea00:10e:0:0:0:0:0:0win-dc-233.attackrange.local53domain 354300x8000000000000000670109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.910{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58285- 354300x8000000000000000670108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.910{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local59853- 354300x8000000000000000670107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.910{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local59853-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domain 354300x8000000000000000670106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.909{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53098- 354300x8000000000000000670105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.904{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51883-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000670104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.904{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51883-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000670103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.903{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.14win-dc-233.attackrange.local57456- 354300x8000000000000000670102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.902{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local51882-false10.0.1.14win-dc-233.attackrange.local53domain 354300x8000000000000000670101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.902{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-233.attackrange.local51882-false10.0.1.14win-dc-233.attackrange.local53domain 354300x8000000000000000670100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.900{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.14win-dc-233.attackrange.local65505- 354300x8000000000000000670099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.900{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-233.attackrange.local65505-false10.0.1.14win-dc-233.attackrange.local53domain 354300x8000000000000000670098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:09.899{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49711- 10341000x8000000000000000670097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.098{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F50E-60B8-2551-00000000C401}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.098{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.098{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.098{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.098{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.098{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F50E-60B8-2551-00000000C401}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.098{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F50E-60B8-2551-00000000C401}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:14.083{D419E45B-F50E-60B8-2551-00000000C401}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613813Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:15.782{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1F31ADC6239284462BD361D27421A3,SHA256=FF84E2A8F02955D3DAB72A9ABD236CED02D42669A3DAC4014A957BD005D6757F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.614{D419E45B-F50F-60B8-2751-00000000C401}32044444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.442{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F50F-60B8-2751-00000000C401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.442{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.442{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.442{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.442{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.442{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F50F-60B8-2751-00000000C401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.442{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F50F-60B8-2751-00000000C401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.443{D419E45B-F50F-60B8-2751-00000000C401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.067{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DCCDC23A516FA0C902D7B8905A30B36,SHA256=59984CA10851F4925C6B8D73F542C9452E13E72808E57092ABD829CD7FA6BA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:15.067{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EC669AD5BD3BB9966FE97E1AA38AEF,SHA256=CCD87491C3DF7A1447F37C4DFEC1775A76659B3967920C8A0E875034092CFB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613814Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:16.813{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51065044B278D286811106A7BD8F049,SHA256=D51FEBF9CD5A7734896EC20869F3F874E39B38F613555728EBCB00368BD73E7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:12.661{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51884-false10.0.1.12-8000- 10341000x8000000000000000670161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.614{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F510-60B8-2951-00000000C401}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.614{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.614{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.614{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.614{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.614{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F510-60B8-2951-00000000C401}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.614{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F510-60B8-2951-00000000C401}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.615{D419E45B-F510-60B8-2951-00000000C401}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000670153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000670152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09c3955f) 13241300x8000000000000000670151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75884-0xb0fc6ab6) 13241300x8000000000000000670150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588d-0x12c0d2b6) 13241300x8000000000000000670149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75895-0x74853ab6) 13241300x8000000000000000670148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000670147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09c3955f) 13241300x8000000000000000670146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75884-0xb0fc6ab6) 13241300x8000000000000000670145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588d-0x12c0d2b6) 13241300x8000000000000000670144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:28:16.536{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75895-0x74853ab6) 10341000x8000000000000000670143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.364{D419E45B-F510-60B8-2851-00000000C401}16121924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.208{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C8EF08C3DA0E29CB67CD0BEECA06BC,SHA256=4E8519071AE0394D7B2A5344CFB4A696946564046F3C9510B8C6CBA7F766B246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.208{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52DC518059B1FE382EA7C693CFA1891,SHA256=8A23A05B60F48FB0D8374DEAAD850A1B0DFAB5567D74714C772EAA91B39EB2F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.114{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F510-60B8-2851-00000000C401}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.114{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.114{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.114{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.114{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.114{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F510-60B8-2851-00000000C401}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.114{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F510-60B8-2851-00000000C401}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:16.115{D419E45B-F510-60B8-2851-00000000C401}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613815Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:17.813{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C1D1E7042C38987F568D5887CBAECE,SHA256=C34884619DC8DDD96B939FE14F18DA3A576C8FD647BCC35E6970CD26BB0F02B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.958{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F511-60B8-2B51-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.958{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.958{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.958{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.958{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.958{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F511-60B8-2B51-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.958{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F511-60B8-2B51-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.959{D419E45B-F511-60B8-2B51-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000670173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.473{D419E45B-F511-60B8-2A51-00000000C401}51126360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.379{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434808EAC0560236CDFF9DE0089D4C40,SHA256=FFFA9891AC4928DE9458C83178DD4904387098661AC8DDF374092312A3875626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.348{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4FF28EFB2A16DD6F7B800341654CDE2,SHA256=2AB2E37F6CF6EC3F78B48610F759C59E824B214521D8F8DA368B353317C3BA28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.286{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F511-60B8-2A51-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.286{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.286{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.286{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.286{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.286{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F511-60B8-2A51-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.286{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F511-60B8-2A51-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:17.287{D419E45B-F511-60B8-2A51-00000000C401}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613818Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:18.813{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0161A29F6DD3DC0EC351AC470275AE31,SHA256=E903AC6985B839623FD4E2972FB563A4869367EB0A21AF53E198B899C47E9339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:18.520{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09852CD8D0F3086CBC51F3B546E5B0EB,SHA256=1F3805A521797941E44E09A400E463B6B8DAB448FCBDA6D2685F6AA066F39E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:18.520{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E30119BB237C3E2DE55EE45AFDC2FD,SHA256=4E6CD8302A28DCC0D04512F4C0895C66C870D1CB797D9F0D830B3B38D890AB97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613817Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:18.079{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA01D890EC669B86C936B61CDD178415,SHA256=E330054B2B83ACF75F9062A8E56E460D39FE66234C9BFEA966D20A8038415128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613816Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:18.079{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A747815BEE19D800015E36371130D7DE,SHA256=71AC78C2037025A38D7ADD6753E070FE152F139981F893A8B7A80E2996728FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613820Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:19.825{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEECF0C59331F576C3FCBC79F669608,SHA256=9CF7F7431D7C5CCC71073F2C8F442DAAC53F928E726B3A2594F08FC12D3382C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:19.661{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAB48CD7AAF4668DBD434F5130F5A908,SHA256=125CB281AF70E9EC8B20CD083721F8564D8B5E4B6E28C9159884CD6E8C0AA359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:19.551{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2013970AD0CC28AD7BF27F322318A68F,SHA256=4B2480EE2EAD66C5103F34A898C79C3575AD3457A35ADFEC202CC1153149B0E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613819Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:15.894{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50957-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613821Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:20.841{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0DCC769A54780426515D4DAC7B1FBC,SHA256=B9A0A6C8DCA3B8FC36D69A70A2E363D3B3A19997DA07B33C3A7A1BF4D8E21648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:20.796{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA7C7FC93D626EA09E67F5629BDC4DDF,SHA256=F3482F212528BAF3089D3347BA9C1881DD8EAD9F5599FB11F054D60EF68AE242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:20.561{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8496E38AACCE701E0D9B0BDA3F6FD6B,SHA256=DB7E82DDD699609AA6BDA0E4359A287105883570BF0E4FE1AE402E345F80148E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:21.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7CBCFD60F03D514E342C6EB696C7BA7,SHA256=DF94BA76619E21E32A1ACA682BBF1D04C66E28B13CA0FC5943C44B0F3F550E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:21.608{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA088F8BA786542BB0E2A7B5A26A0C59,SHA256=E502B55F020C8E9985F93F57BCC2066D7446E11E5024BB761966DC5B232B9B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613822Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:21.841{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A43D653C9A40BF5F38ED628DD91AEE,SHA256=861A668B1CCF127DCD1078790BAEEDDBF343F8A1EA39D93963350AC40A70F429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613823Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:22.841{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4790CA7B49F8AA2541550087D0A5A1,SHA256=C27F85A07A8662346841E6A9C5FC8B6141F34F11598E4F160F0611DDA15E4F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:22.624{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3806F64F10A5D59614B8DD4D336CEFE,SHA256=2B24FBCC4F1400775A83D7D37C956179E1E3CC8DD6D8E8298D8BCE77388AFD7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:18.641{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51885-false10.0.1.12-8000- 354300x8000000000000000613827Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:21.031{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50958-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613826Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:23.841{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC89C26C5F169F8F27FA1202083450E,SHA256=F861FCE6A2A85B84E0EF196FFD1BD835A698A6B22EE11659E7EA8F42F7C39B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:23.624{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBD190DE5F82C000FC68A99CA59DED5,SHA256=FE73069D1F48A03B3A6A8E552415E98A346FCD45861B9C677E963C3844D7B144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613825Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:23.184{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC296615E7A0A2C4BEC6767D3AFF66C,SHA256=95D67EBF8DE8CA762040022C219E5C0B0EE5A98F3B8750C7EE7848C9521A511D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613824Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:23.184{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA01D890EC669B86C936B61CDD178415,SHA256=E330054B2B83ACF75F9062A8E56E460D39FE66234C9BFEA966D20A8038415128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:23.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87D9D84BEC30634FA5C805F746E3861B,SHA256=E7CB0F8C4EF2C1B3EF4D85C38302A9F9B675AD0E95FBDE2A7CCBFC6C8BFEB020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613828Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:24.841{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CBCD2A9AF47DDF226CF656F33F18D2,SHA256=17FEA37246997CC75450298A9E35DEF6C714C04664C18DA331782352E4615AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:24.639{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD88B2B9C32A6E3723883742AC19755,SHA256=7628EB9C4FFE001D38ADBF4BA64F1FDEBDB84A1F6B5D6E9DA0063E1F99B71726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:24.327{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FEAF1FD121D6806ABBE887886EC0E83,SHA256=83C65A8ABEC9E50E7A39FCE039777628359BE3A0864E66B5BB3B746473C8AF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613829Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:25.856{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7801CA797A7E09053A2E1712BBC95838,SHA256=B6A059EAC9F66107BB0A8AF1FAD4AE60616E8ED42FE59F9A4DEEAADDF0B95F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:25.827{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA37979D6D239B23382C940CAF871C8,SHA256=AF3A71EB07A8E67A5C7DF21C7E0A93411E7B30711F6A39DD036A0093A3393B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:25.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED74C41052131B0004DEDD8E8F076F31,SHA256=D5D143155F54FBAAC76E67BF3AB4A5FEC211DD6AE88678450B178C49B63BA7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:26.859{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AF69BCC1F51B23E6E89D3E069517C70,SHA256=64C1BCBD582F4412AB7DBDDD672A42FDD36BB7F5F3CEBD87C2C2E50A8C9533A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:26.842{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6696297B7ED7CABA0D8172B6A793CA12,SHA256=038C567AC2ED969243208DF2EB62C5EF062B4B2F0D699CA580D7BEAF4F8E3930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613830Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:26.856{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E95C8AF8068CA81BD11340DCBBA3C9,SHA256=2CC71ECD8E3D660CF5B408F451AD49634477C815E27A6444D049B8BB3957EC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:27.858{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD17925706681FB88A82A66A7B57920,SHA256=A17C350CC970DCC26D8A1F789C0ACB3C255561328C5FD9765CA4D2A7F3B6C02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613831Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:27.888{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84759E52E2F06EA509F41D678F4BD079,SHA256=BBFA071ED30F827C4171CC830F342E9FD9D769CF16E73E869454B91CA9C3B32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:28.891{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A4403219D07722B6AECA4725274E9A,SHA256=042CF7865838C81F98974905FCF4235B76B341D095246FBADD336340173827E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:24.577{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51886-false10.0.1.12-8000- 23542300x8000000000000000613834Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:28.903{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06460924068F26B6E23A8A7561E66CC,SHA256=C0F5E841CE0F2BDBC664C46CEA7517BBAE01481E6EBEA0D920AC247ABE35AA3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:28.046{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B8DC223537211AC74EB32B1C4A1FB35,SHA256=DBEE565928F99936F8C7AF865DD621232F7CEE11F315BEA25337912792FD3554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613833Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:28.263{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C278FE3D3E6C7900FC35EF1C248D29A,SHA256=FE72AD7F0725887ED66235C8E96F82880CF5DF67C5ED36A82D2552F773F2F5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613832Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:28.263{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC296615E7A0A2C4BEC6767D3AFF66C,SHA256=95D67EBF8DE8CA762040022C219E5C0B0EE5A98F3B8750C7EE7848C9521A511D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613837Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:29.919{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CE9C01358B509F09760E9D57D29D7C,SHA256=6AEE781414EE867A0CE479D6912407351B315C974FE1651ACFBA7B2B275C6BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:29.922{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9851175982603CA1D0737E164CCE0088,SHA256=1425280F2C9562613CEC74CC42318E0D28B1B70AC644DFA7A88348E07BFA5491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:29.109{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D9564F4D44BC360E90B2E9B3DF50F51,SHA256=4D760DA91131C03E3E49543920025DC530E3085DAD7833126E6723E154B0DC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613836Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:29.153{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9bbf057.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613835Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:26.093{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50959-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613840Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:30.919{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA38D3DF2674778A3156925147EE97D,SHA256=9E09D45E21D061896F0EB880E1EF7F51E47AD86D9A8FB865681DD239185B5B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:30.953{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9E4C41E0DA1BFF65D618B870DC9850,SHA256=A8BE1105F59178E8CB90B7E23352B8813F05083697127C5242DFF7628835DBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613839Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:30.669{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6553BCA3308F7C019C8C533165C997EE,SHA256=5E0B85B45E7AB88AD9D53E81E559B3E1266180C59EA3C44D3EE45518DE678889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613838Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:30.669{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=44FCEDE192B37DA0A318B267AD2230A8,SHA256=E253D489154AA1826D3C85A2E0EC3406F6398695B3D27008DD976C2000B33471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:30.281{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B5B7E9A097C0E295C42AAE62E9CB235,SHA256=E251C4C4C340AD295A6C674DA193F9B762C1770FC763F4B3D71BA6437C816942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613841Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:31.934{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D031E05478BE6B6B02E4608E8FCA3419,SHA256=C4334C8E1D45ED8190714B23620328A819971DEC82CA6E9B44E9448D6626CFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:31.969{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3244FA6F87444005FC473262BF5CAE9E,SHA256=E13031971A95F527C3DED41EB871D33413793401E9B158E5718553EF4B5802D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:31.422{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FBD3E32A804BDD2F2E894B270D40226,SHA256=519D0D3D725B2EC7137240EDAB79C5AF62EE633A5BB17A0B56B616AE378B28BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613842Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:32.981{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750B696C8FDE0E3F238CE79709B52551,SHA256=248CD21C84D50193CC5C84F7A72EADC14734900E3D1E73230ED3A1B52202538E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:32.984{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376371C9547BAA3C2D4F3269D3B2059C,SHA256=2A39258901A371A6B27A7A06AC59BD1083C5620CCEF7153FD02E9964B13835FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:32.500{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6B4C34019301C7B8A3960F97E21BDEE,SHA256=322D5E119EAB5D9ECECBB9A44415ED9CE4797F145B1FDB2842F7891E59554659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:32.297{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F66CE433520D20F9C9B9E9ECB36D3729,SHA256=7848733CBFC5C0D2E6640F811694A5E61182322A1D1F62CF2C34F58A398F2870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613843Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:33.981{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BA4A4BDB90572404955563EADF1472,SHA256=FBA232B22398F0DF727CD4D5F838C0EBC0BCD16779B611F47F71692B949C2C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:33.641{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876F54CEB32556081CC2AAF89E707843,SHA256=FEB45D1F2033D062E7D3DD73F78E6CFE7884172BE1D9FCF27EEA5DB6B5942E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:27.813{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51887-false51.195.68.163www.win-rar.com443https 23542300x8000000000000000613846Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:34.981{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBBB9E5EEAD0EA7DE868927732C9E74,SHA256=575D2968F66A459EE828629A1EF7190229C2CBDEF23BCA6330DAD6EADB5F58A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:34.906{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F59C59C463DAD73342C672105DD736A0,SHA256=2CBFC3C406F79CBD42F20317D1EFD024B01C9E72DEAF671F6426BD15B17EEA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:34.187{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E74A6A9B7CD23F80FBAE365107D4C4,SHA256=66EFF6FE3391089A39A25A5167FE21249DB1456AF481B009810A3A0A5A0214EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613845Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:34.325{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFDF1E41A5166B4D9CD743300792FFBF,SHA256=DB3EFE3AADFD106B22AF15DFD97276C7DD68FBA16D489DE4F00DBC4BF5AE728C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613844Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:34.325{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C278FE3D3E6C7900FC35EF1C248D29A,SHA256=FE72AD7F0725887ED66235C8E96F82880CF5DF67C5ED36A82D2552F773F2F5BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:29.641{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51888-false10.0.1.12-8000- 23542300x8000000000000000670218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:35.203{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E900C1A547E20FB877144D0167A3D9,SHA256=9778B5E03602AA936B7570FEB5F03BCA16894CC2C3890305CAEBA46494BE6106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:36.437{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2A46ED761D06E7B3A3C391C088324D0,SHA256=B8381897AE60A157A73DF4A6C794361F687608D62232D246524C7191F39E5176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:36.219{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACC50AA8021CC312BD0DCF8A3A1A317,SHA256=453F4040B2AE39E891CD6E6D2A2039EFB7E72D5CD421CD3F89A6026EC5B62AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613848Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:36.200{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08C7F0710BD2D0C07A78F4AB3B30459,SHA256=0D27DCDE830A348BD29993DD4FCE1E3EAFC7E24C3C7C673F95482F0DC29DAD8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613847Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:31.937{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50960-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:37.469{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F8A743FA4D10699EAD9B44968EBBDBE,SHA256=F280D1AEC329F83D031FB570B7BBDF8BC3C0BC0C0B360311D0C52663AF96951D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:37.234{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E233C37A82AFAB0AFB76DD1DE8F88433,SHA256=60277EBC415E2A3A49680AF534AB203F1882A1853147218A8B2C646B160157FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613849Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:37.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B0B55EEEDFE8F52B5B47462D45E1D0,SHA256=B8BBFF51CBF29189CB940ABF06B7EC5EE90410B1B4A79BB1AEABE311CB8F4F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:38.672{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=468E5E825D407305574BF84CF3B76516,SHA256=B2D7E39B0A9329DDC74DC9F4BA9411BDAD7A88E436333925CB084EE00CDAF0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:38.422{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E6C82CF0AFC19ABD8CA737EEC904A8,SHA256=64E221C05750020B8BD50B5B8F8478C7CE654B501C8C8A73F120CA972B035ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613850Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:38.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA226980EAF9DB8F9EF80CD8456866A2,SHA256=4FC849D34061B9E13B666C32A51E74DA7468175B18ABA0BAF763F46F1D032D09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:34.068{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51889-false51.195.68.163www.win-rar.com443https 23542300x8000000000000000670227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:39.826{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB12FD27362458D6EEEF71C05858AF4,SHA256=0C076CCB1797D8B03C36B260BD53CB121FE0947673980D87EF7A1F458DE89FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:39.437{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6350BFF33CBD809A77C4014BFDFF42FC,SHA256=5AD0C8CCC5CE35DC4BA47D5E4C76283FE10DD5E2FB75C557651989D66FF070B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613852Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:39.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFDF1E41A5166B4D9CD743300792FFBF,SHA256=DB3EFE3AADFD106B22AF15DFD97276C7DD68FBA16D489DE4F00DBC4BF5AE728C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613851Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:39.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653BD32315A7AFB23B5EF0282F5C15B0,SHA256=765F161037DB15786F008BBE1F9F1AC3188CBBF6E7E842197F328C014CF9531E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:40.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E30DA5E744C588F0B25C884442D6F375,SHA256=B30EF879F42476C441BA9F788A786CDEDFDC0515A2F2A4D3DA304916471FAF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:40.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CC8ED93CCF6B4BF2071552DBED03A1,SHA256=6039110CC0553E5BD165582A1BDEE6AB0C3581C78C397AF3ECAE8E6CEC8DAA10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613854Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:40.246{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7900F9ED209C014983F49B8DE2B736,SHA256=60FAC6918856124726ABF8D4257AC4B9FD572C60EEBB5EEE9E8378B99990CA6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:34.688{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51890-false10.0.1.12-8000- 354300x8000000000000000613853Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:36.984{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50961-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:41.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD818ABD7D96E70758ACC50CA5D1DE51,SHA256=592D617529E47D3526A98161FF33BC47831F4432720300D9A1263D8971D72E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613855Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:41.262{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B42C05C78F0F3BA7F71F1395087C150,SHA256=412D51134C1534C1242269E45E286ED43FCA0E17F1B44EB0B4915155DE2A1589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:42.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A2ADE1F7A0E2DBF33426B4C9BDE972,SHA256=F23A6814C785829FB9B9412128129C67CF55B7FC58C224C566BD721EBFD79828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613856Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:42.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39E35D5286FFFD1CA97C32E22A1B066,SHA256=DFE7D19A5309867C8E6932EC49060021CF68A23E6B7FA3D25AF61BA5A3D3D98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:42.279{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D698954870BEAE3C0228B6E1DE0159,SHA256=2ED658CF59A16528ECC4F146A56ED072E777031E5A23ECF0C7C31F155853DBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:43.763{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28791D87CAD97C59AEE2EF6ADD487D22,SHA256=5BB51A3453BCD3C8F1660CE1CFCCA02A2ACAEF66F6832B6695301348FCC93D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613857Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:43.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04685405260265F369BF937B252CCB48,SHA256=3EDF6019D55B72000948E25F30B4E454F56E557972EA266564A3D4AB629CE60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:43.388{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10D0432D44F707FFA9DAF9E7DDB5603,SHA256=67F25A0FC3006E13A29BA512BA5B62846FB793123437EF4C53C867BF5C6F5113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:44.841{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7E69D5CAED2B82F1F7522809C8F375,SHA256=CA22557E98C6820155B215970C34594FB0A998183E215182B7BCDF368A1A2C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613860Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:44.465{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61A32123CBA18AD259BF9F26B318B287,SHA256=613A2FA1EF7F149B097B9F302E68598929EA0298DA763F0F95C54A3D451C777C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613859Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:44.465{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992EA4085B2A3BE2F1C3D23048DE3B48,SHA256=13AE8DDEFD0FAF22474958E0B76C574723C39568F96C36652E6F81AF01F9A48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613858Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:44.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D9D9A4B722B7357B3EF0466265CF50,SHA256=15AE5640E44F9CE1B4DE6F92D024C9AA50F292B31E89F85B01C10ECC48A864F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:44.420{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8BE42D0B5A05BAE2564D021D1129CC6,SHA256=B9FAD3642F7D922FDC86736B85523F98C1E442BB6790B9FE6DF1EF604F046E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:45.857{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BFC9FFDDAA26BE0831BE32EAF05A2D,SHA256=5B01F56C8455458E44F8621C014CC021C5CA87D85664B346E803B9151594830B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613862Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:42.077{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50962-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613861Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:45.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D073A4DD6C5490101235EB18DB9C589,SHA256=4093F848400364ECF840B5DE6ADD990EEE337F4326F766E6F2C773197C3C32BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:40.592{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51891-false10.0.1.12-8000- 23542300x8000000000000000670238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:45.545{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0255AD7F1E8301BF939D034AB350212,SHA256=A8F7121915FCE71A11A15468F26D818DC088D671733CE9FA88E1C616ED9D471F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:46.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669037F341D1FD03160DB90CD28557BF,SHA256=7CB57105E69C63681D632AA4EDE05CEBE202B26168DE24388123B49B713E05B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613863Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:46.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC418C6236C61F9E0A0D90A42BE356F8,SHA256=D61E814BA12FA0F2B05F816659AC083BB13D901DE04317701066F61053AFEAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:46.716{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:46.716{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:46.716{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:47.888{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F9DEF6094BF5A47BC22F7C2E7B71FA,SHA256=BFBE9347533B4587119C38A607E3380519226D90A4E2A7CB47ADBD068713598A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613864Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:47.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BDCC1028D4FF56185B18435D0258A7,SHA256=FC3F3BCDE7AAB16A9A69411BBAB3E5AC9FB5B7C69FDD6B22F46ABAD952CFD1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:47.170{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB367F8D6E616E59D28E9FB0504EE235,SHA256=228BA121A453A3BB8FA6247AB5D7D30D60C6BE07253406C7FD0262193C4C4FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:48.966{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06484FEAA1C225998C9839BB83E4C8B1,SHA256=D97B48EB9F47B103E5739B5A5BD717A57CDD64A7BE9735FAE2906E5B172929A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613876Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.762{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F530-60B8-645B-00000000C501}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613875Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.746{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613874Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.746{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613873Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.746{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613872Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.746{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613871Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.746{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F530-60B8-645B-00000000C501}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613870Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.746{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F530-60B8-645B-00000000C501}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613869Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.747{97C2ED32-F530-60B8-645B-00000000C501}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000613868Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.449{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613867Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.449{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613866Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.449{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000613865Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A22D8406622D1DB43C5F92A833F626,SHA256=A0EE544405A91BE8C9E12A37E33B0DA4DDCAA07C7BB1A5DAEA7788EF356BED7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:48.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25BA5B2C086516867AB44DD15C72605E,SHA256=6F4C3BD1C15B967CDC2D30E78DFAEF35C8CA871B32A28CA25E81172EBFE41C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:49.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3AA4ACD05D67FD08A7D76A30CA3B9F,SHA256=6C525937F896309C05029FB02A38BA5907AD1304406F5A4F30D7F252914E18DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613888Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.762{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90961A1B69173FD2225D25F6C5E50333,SHA256=59D76FDBC01C2ED233A94FAE28A43BD04C230A739195C7E4EF35436503D9454B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613887Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.762{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61A32123CBA18AD259BF9F26B318B287,SHA256=613A2FA1EF7F149B097B9F302E68598929EA0298DA763F0F95C54A3D451C777C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613886Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.558{97C2ED32-F531-60B8-655B-00000000C501}39401096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613885Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.418{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F031-60B8-B65A-00000000C501}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613884Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.418{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613883Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.418{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613882Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.418{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613881Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.418{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613880Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.418{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F031-60B8-B65A-00000000C501}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613879Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.418{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F031-60B8-B65A-00000000C501}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613878Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.419{97C2ED32-F531-60B8-655B-00000000C501}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613877Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:49.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7829290E7DEF772C7DEEE2E7A487BB1,SHA256=24A675BFE7E3974FCDCFDA1C7BC91660148239B0A6533A0D6DB835DE73B4BB4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:45.607{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51892-false10.0.1.12-8000- 23542300x8000000000000000670249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:49.357{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E8E10C63FD63DFFDC85111FD71C2B0C,SHA256=16377FB78BD362F3FE9AA9C3F3AE0FFD3D817BFDCB98C1354A3B93ED332C9BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:50.982{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215BC00C9346C660862A776D91950F9F,SHA256=C6DDFCE40E1B1970AAB88F8045ACD4790FA146408409A1EB453F1FE43A693CE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613906Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.762{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F532-60B8-675B-00000000C501}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613905Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.762{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613904Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.762{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613903Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.762{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613902Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.762{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613901Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.762{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F532-60B8-675B-00000000C501}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613900Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.762{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F532-60B8-675B-00000000C501}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613899Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.762{97C2ED32-F532-60B8-675B-00000000C501}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613898Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA3A63E4002A331B7A3492B27DF534E,SHA256=13D4D87ABE1D54E15039EC30274BD7C1D1A544198A83E242FE4EDF9447365DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:50.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D380BD01DCEC24810663C8D426BB7BC9,SHA256=15B01DEA79B41ACC021CCCA4BF4F79FFEFDFCCFF771FB3933CB3A214CEAAB6BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613897Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.215{97C2ED32-F532-60B8-665B-00000000C501}9324456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613896Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.090{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F532-60B8-665B-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613895Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.090{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613894Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.090{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613893Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.090{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613892Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.090{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613891Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.090{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F532-60B8-665B-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613890Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.090{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F532-60B8-665B-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613889Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:50.090{97C2ED32-F532-60B8-665B-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000613917Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:48.030{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50963-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000613916Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.433{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F533-60B8-685B-00000000C501}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613915Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613914Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613913Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.433{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F533-60B8-685B-00000000C501}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613912Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613911Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613910Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.433{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F533-60B8-685B-00000000C501}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613909Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.434{97C2ED32-F533-60B8-685B-00000000C501}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613908Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.324{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DD89B50FA164E9FDD26D4028A09078,SHA256=9E22E404510D9E9F94EA528242FA44B35F155936A87648A883D141783A56226B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:51.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=039BE1F6A8E6BE5B307A073403B99977,SHA256=F5E81568B894A0E75976BD5FF69E14D7CFA4F1D5681B175149C3AB4FCB8B590C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613907Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:51.090{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90961A1B69173FD2225D25F6C5E50333,SHA256=59D76FDBC01C2ED233A94FAE28A43BD04C230A739195C7E4EF35436503D9454B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613937Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.902{97C2ED32-F534-60B8-6A5B-00000000C501}40364784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613936Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.746{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F534-60B8-6A5B-00000000C501}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613935Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.746{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613934Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.746{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613933Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.746{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613932Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.746{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613931Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.746{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F534-60B8-6A5B-00000000C501}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613930Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.746{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F534-60B8-6A5B-00000000C501}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613929Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.748{97C2ED32-F534-60B8-6A5B-00000000C501}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613928Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.668{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81544ACEB3CD23D3490D6123D0F4BE24,SHA256=6D5CD62E2B5C8449CFB5773BA12936168E4D0EF0E1AAB8028B87351A1F964ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613927Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.340{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7643B25179321A9266AB9E5C69D9D32A,SHA256=E0078F06DEB5D65D4DAFDE642A44613CA27F96E1F96C8EDE0C87C16A958CB2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:52.013{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711D1AC38BC227BC38A9635990681536,SHA256=C092C41DD4548BA41D7D9D2F77CAE022707BBA1E744D5324E6DD476E3D692C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613926Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.246{97C2ED32-F534-60B8-695B-00000000C501}47323280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613925Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.105{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F534-60B8-695B-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613924Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.105{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613923Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.105{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613922Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.105{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613921Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.105{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613920Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.105{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F534-60B8-695B-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613919Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.105{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F534-60B8-695B-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000613918Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:52.106{97C2ED32-F534-60B8-695B-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000613939Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:53.824{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFB1136DE3D96BCD44F858D7D1394BB3,SHA256=C2199E535806FBF2D9C99744BAED00FDE9C2360412AC5C218B672657F08C2398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613938Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:53.387{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02C3D74801BCFB9672FA17E3422B8DC,SHA256=366A9EFE5C21DBF40DB28E646D3ADE27B7E148F44C4B60CF4592C5A0EB0FD0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:53.513{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7FA67391F54978A1AA7703CF65FADB5,SHA256=21B46272B767B1FD3D14917F8D63658B29B755BEC354BF8FCE2A55B6B4430CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:53.091{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B8D5219FA886C93DB2C24514FEE871,SHA256=F7C392CBF642BDF00C73738399380BEF4D350B176E546131E15C2779ADF55F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:53.013{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C27BD3BC774FBD05538932BF4B70AA2,SHA256=858D1D7BE63B5EF091DC8E291274A24F07061AA8F8A705EF43FA642A028166F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613940Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:54.418{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2C8E7E25E582F4292D2C9C3B92EA90,SHA256=B16CD5B5CC008621F464C88C4F76E683314428CAAEC0A8338B8764D973416509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:54.373{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A061136E850D4C8DB34FF87C95D115B,SHA256=7C54558F3FE940D627CA8CBAC2E82FE93C6D3672481196DB467C5E89EE249DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:54.029{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C988B5A5743E813C35613FEFAA4859,SHA256=CF5AD7D8E76B8DD97FBA1D4DBC59DFC84437A8E1426914AD445995CDBD631FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613941Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:55.418{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8662B610D884A679D8FB633133C9811C,SHA256=A97871D8142511551A00D0461C32F450C61F64B2C3C818ECAA3DB02D8FD14836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:55.451{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E41DD851D949645305793FDCA7C000E5,SHA256=77C7068CD8DF65FAF2BB024C363D7C1D93A37012AEC355F569B9B5B888D20967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:55.044{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752172FB8F6FFCF95E86EF5C9CCC3988,SHA256=BBE973C35193A182BCD2558D386FAE9DD401FDF94CAD08E71DDF900891FE01C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613944Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:53.936{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50964-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613943Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:56.418{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD9B33FB62C7747EA1D35635F5B4EA9,SHA256=169F52C70C46BDF0FC77A2B975E0230E3991DBA667BF6ADE12E5FD065AD02C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:51.638{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51893-false10.0.1.12-8000- 23542300x8000000000000000670264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:56.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51D03C051437DCAFDF15D3AEFB2BE98B,SHA256=00EC2CFD8066BEFF721E9DF4731692ABC9C885A70CA67D01AEE40FF7113AE9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:56.060{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7953EB7F14B71779D903D7470C0391A9,SHA256=7690174B713B34C5188A1CEAC991F0131F46432ECCC5BC92C72CF92638CCFFDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613942Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:56.308{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2498788503F61195B8078C1646084C35,SHA256=F046FBC205BEC14D3C50D6641C621F77EE1CD0E29140DD91F666C1A96F6F8034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613945Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:57.449{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469C0AE793139AC4CD0582CA16CD0310,SHA256=5FA29FD5B306CBAF8E2977D9F5B36B82B942BC0C07C4F6A3475BE1218880E4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:57.826{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63B5AADFABA2111A852F20AA095E013D,SHA256=3659E0E11FAFFE712C658822B41E4920EBFA340A0354DE7B83AC12AD1C26E0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:57.060{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A99850E3E7FA4B971FE2B6FB679E9F,SHA256=90D093E7338B83EA932BE260542C027486FDC595442A66D1000753C28E5AB732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613946Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:58.465{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAAEF52D8879E453853CEDB75833E24,SHA256=FFA4420887ABE9DC53FE4749DD2A72ED66F129CCF0C5672A73B8927434E10C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:58.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F02944A43D64E522FAAAD6A759B1C3,SHA256=8977018EA584670E759908BAC760C5577326A8DEE0440A95B80DB7A51D8CC9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613948Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:59.465{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7170BCB1D7A378391CAF7A602454A1,SHA256=B8C95F2D04A0128C26583809B4D25DEC4B09E6FBAFEDB57BAD41DE13557D6322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:59.341{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DD02F36D39C253A3FC93F44C4AD3612,SHA256=EDEB1F39705E26A5A69B5D54022149BE65A3FFA2CFCAAFF4C20E597045540FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:59.091{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD786DD04E0B25241D0EE463F327EC0,SHA256=5C83DBBEE0058D2131848A743CA3C0DC60C34220103B39965A5BF155FD831868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613947Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:59.418{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613951Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:58.249{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50965-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000613950Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:00.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D257444AF74236EDBA0423BA21179DF6,SHA256=FA4A34D29F3665676B936DCDC51D4BAFFA45D075089C58984F1DEF0A1D9D7249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:00.528{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A5D49303D07FBC49856AC91148EB183,SHA256=EE28D214E4AE8C34E1718233643483DC5CA8E3577B2B8EA623070E4452455DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:00.403{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=914ACCCFED67407D3B7E28750C1058E8,SHA256=36D8E87F723265F8F30DBCA2D6572F2324AA8F77E4EEE66E366AE638D4447B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:00.107{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D6502B3C225D24C3F65BDAE10A063E,SHA256=D48D04504F55952AFA772F342255D59A337DA39FA41D6CF9518C78AF50D32BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613949Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:00.418{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCB702397A15E5E0484F48F238C07BA4,SHA256=9237EA25469031CA07DF96A9B5E4FC97143CCCF28341462144C4E2DBAEF390FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613952Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:01.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4780C1364FD9B4F42BB76F8B559BB8D2,SHA256=D194B2F8B0A0712FC2B1A12B356EDDBBBF3263273EB6804280415719C6D1DE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:01.638{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D8554C2DC592D58F98FDB2E21698EC3,SHA256=FA254656C3E040765D337068A93070232F382E7C7AC040E729F287C855012675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:01.122{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F100E25FB59A22C5A9C00A1B8750D875,SHA256=7282B30C82732A4B6C21BD553AB15421A8FDD9AC01F534E6DCBB0631A74795D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000613956Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:28:59.936{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50966-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613955Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:02.527{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CC0AD4F604D254FA5BACADFB74F3CC,SHA256=198F10E8E2334A8DD071E782EC1905A84317B4BA0245AF46B17BC6B440570F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:02.419{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:02.169{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9CE39CBBA15D1AF700CA30DCD5D0549,SHA256=D68485A6E9849E8E55C4AA5C14EA1743FB1F2E9AA8D3D9ED7DB756FA96B71348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613954Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:02.480{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=87D35FCB5283F670E05E8DFC5FBE4990,SHA256=8290E72F989A0FB50B1571132A2B4DE2CC468D8741099E3F9217822B62710AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613953Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:02.246{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0D1D51490B7C0BC919E3D6FE08F2FC,SHA256=19327B9E207A67D5AC9513CCC5309EAA51601FF667EEF3E93FA20313CF590690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:02.013{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6E6AC45087CFD32F7CDFACFFD661535,SHA256=08FD33714C0DF0FA327B6EC88CC446AC18E7313132B887A7C964D39F09BA827E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:57.607{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51894-false10.0.1.12-8000- 23542300x8000000000000000613957Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:03.543{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44407D06B129A58D15ECDF1D1FAEC515,SHA256=D9114F237D76108C109F40A3B07AE2A9D58EB67AB6826F519DA5EF53C730A33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:03.341{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2163D4426EEFDD06A4DAC5E35CC9B55A,SHA256=F9B38AD7B136D17A74A9F1C60ED61312E00B5B20657639A7A34857B10CA231D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:03.341{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA236120670330587754A95EFDB8235,SHA256=275CB6FF11D7A437572399443D4325D194EBA3AB65AB87808F343CC3BE78EA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613958Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:04.574{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAA9519377959915B83D105959E9024,SHA256=4F15796389D930B4E42BDDEA006714FACEC8D99B9D675B9FC615E8EB1AB68BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:04.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC3266900EEE212A9005A6118B67A5A,SHA256=170D551C809C33B83DB9FD3E83841CE3C6EA9F08C1312DFB46CFACCCA0424924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:04.357{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07409C97734E237F1EA312C74430176,SHA256=F61A018DB3D5FCC7606C59131E19D4EE1F29E1379C7DB1A794FFA53200CAB711,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:28:59.857{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51895-false10.0.1.12-8089- 23542300x8000000000000000613959Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:05.605{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E18AA84A8FAD3266F550B53C81D0F,SHA256=1FE8A08B4C84EE078ECB2DF40167C7A303C086B3358FD136EC5A6AC113E07A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:05.528{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9DAC3ECD0D193240D55E06EB76393A4,SHA256=67BAD8ED22A500D7FDAB96474B2AC335DCE59A785EAE0E5382C8A06D30E02A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:05.419{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C02D0333890A10895423D75C25E297,SHA256=964E417C94243A8D5344A5FC45782962C146A066698C758B46FECE5E631B26C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:02.576{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51896-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000670289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:02.576{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51896-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000670288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:06.591{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F970981BEABF1A0F90B57C90EB1B7EF0,SHA256=69989FBB44AE272C1D72C3A443873744E29E1A31F605995B65E8FFF85F575EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613960Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:06.621{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156220334BDA3E9D0B0C172CCD212333,SHA256=D2C5E681C7F1A8FB3260CD09AC3944C2AE73DF0D6FBD326BB41B5C891537A872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:06.528{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B181FD5E242627CA81CB4E01CA4041B,SHA256=EEA247B073B26E417210005D47E955C3FA9C59822CF44E29320AA1B45630E506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:07.778{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DF9BB6538E946B1EC378B80389AA4FF,SHA256=DD988AE6206988B2E013CBB0AFA89A07C63026B11567EC35D778F9733906B548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:07.607{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F175FCECD2CD717CD745BE31053A2C,SHA256=5E6044F057D84E5FB913620E943809ED0B09C4E8ED2A1B0B855939F7F00DC1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613986Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.747{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9893A0D9826E6D538A75A495CA83F134,SHA256=B8AE15B9C8F6BD48FEE7029BF81E7305D44DC9E3CE71357AD245487FCA46C098,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613985Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.246{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613984Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.246{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613983Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.246{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613982Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.230{97C2ED32-7730-60B6-1600-00000000C501}12044576C:\Windows\system32\svchost.exe{97C2ED32-F543-60B8-6B5B-00000000C501}3528C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613981Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.214{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F543-60B8-6B5B-00000000C501}3528C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613980Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.214{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F543-60B8-6B5B-00000000C501}3528C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613979Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.199{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F543-60B8-6B5B-00000000C501}3528C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613978Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.199{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613977Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.199{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613976Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.199{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613975Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613974Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613973Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613972Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613971Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613970Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613969Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613968Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613967Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613966Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613965Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613964Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.183{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613963Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613962Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.168{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613961Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:07.168{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:08.622{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC39CBFD540857FAE359EBF3C7328E0,SHA256=AF46A3B649C1A482EEC4670811D433D655722666344FB81342594971D20D8F15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613994Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:08.760{97C2ED32-7730-60B6-1600-00000000C501}12043532C:\Windows\system32\svchost.exe{97C2ED32-F544-60B8-6C5B-00000000C501}3816C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000613993Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:08.760{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D266D36AD6F52BC1F2F745CDCBBE619,SHA256=ED495EE11828AFCA4B87E683C0529B34DE8B9C7485877A31CBC0E583279A5161,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000613992Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:08.760{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F544-60B8-6C5B-00000000C501}3816C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:08.122{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000670293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:02.702{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51897-false10.0.1.12-8000- 10341000x8000000000000000613991Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:08.745{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F544-60B8-6C5B-00000000C501}3816C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000613990Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:08.745{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F544-60B8-6C5B-00000000C501}3816C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000613989Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:05.983{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50967-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000613988Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:08.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1843B4A2621BE86ADB28A4D928FC7B,SHA256=5E3FC7090BD457A22AAAC1583C39FD0F42E990AE3DB5174FEA216348E7977746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613987Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:08.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0A11A9329C7EE3B281EABD8ACFD1CD4,SHA256=D2EB38F11DC03F41039E63BB28B15FF47607D7FCF18A47DA54419810C7D3C17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:09.685{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB86302B55C487B5609057657141234,SHA256=D4F2E45AD235C8734359DF279F499F417A0286AF4DE51E7075BC8B7A2CB09C55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:05.579{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51900-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000670301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:05.579{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51900-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000670300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:05.481{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local51899-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000670299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:05.481{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51899-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000670298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:05.469{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51898-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000670297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:05.469{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51898-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000670296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:09.044{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68287655099038C6EA7BB480E280C214,SHA256=C9D9E77A63F89AE9CCF8BC0B870A5EE13F295BEF887415868637F0CF9D0475D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613995Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:09.732{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1843B4A2621BE86ADB28A4D928FC7B,SHA256=5E3FC7090BD457A22AAAC1583C39FD0F42E990AE3DB5174FEA216348E7977746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:10.857{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F44B3E6A5DA9FBB749CF17EDE42C7C8,SHA256=606E3DD4D11BA0EEF12B731BD23DEAE589437290DB45ACCAEE7EEDE6EB048D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:10.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=441A038012D7018874ADD0AA799F25C0,SHA256=67B7154587E728B89A2411D4A078CA2C220EEE8A4165604858C07F7DEC69A703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613996Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:09.997{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9B11BB4F10FD893DB2D155DD8149FA,SHA256=03949F4D350A872E027F0A8F105F68222DEF248E6079B62402107FFDBF1516C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:11.884{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1313EE5E1154CA782E77AA807469BCC2,SHA256=9F86431F7CB21E46261AD4169EC1FF8F2F98390C81FE751940083825EABD94F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613997Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:11.060{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D4822E71A0035E2F4F853F4C109979,SHA256=FDF5A8C5205C3FE60E76DADBC1D67F9BB5037AD8F9B77173299970232CC1D6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:11.247{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5E1E4FD8FB962AD24EE94152F659B78,SHA256=26847C31CDE3400F02D39274D229F57F87E9279B3585C77CA2A3820058B2F354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.889{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0692B3E3856A80BE2BBE9D11B5A479,SHA256=572E09B4F686A6BBB72D761226D6C63A054A2768C87C94F0421EA9542DE7CC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614000Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:12.966{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=53B3CD5D4DD3CCD06C01BF5A67B1C4EE,SHA256=4A410B921FD8D8C927FBA8EB2820A31B672849081B752673AB808E9A196643BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613999Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:12.966{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6553BCA3308F7C019C8C533165C997EE,SHA256=5E0B85B45E7AB88AD9D53E81E559B3E1266180C59EA3C44D3EE45518DE678889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000613998Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:12.075{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A85A404BA8963D75850B3565401C845,SHA256=4766EEA5A5619E3DABF350A91AFA8E7F4105766A607541943036F543E0E17F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.587{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=933E130BFA248138AA9EF363D8822522,SHA256=A81FD41D3ADB6883A6BE80A445EE87C2B85902E98984E14512A79EE2F65E0A1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:08.497{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51901-false10.0.1.12-8000- 23542300x8000000000000000614002Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:13.263{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF9E9CACD37F91B337F4B4B1616AAB11,SHA256=DCE8E4314AD2C43D7B429ACD6CD572C82E95A559FEA50030D2F0AD87604F2590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614001Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:13.075{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63282FF9A146212E0E38B2C127D427BD,SHA256=7F8845DC5208F13CCA95C1FC4AF7A50EE495618BF1FA172C65A7D4522CAAC52E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.983{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.983{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.983{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.983{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.983{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.983{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.905{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6C8D6D6DEC46475A269EB9CF678B24,SHA256=395C3A9FCE92F81D84D4CED682A140B7E69BC6F44D910C2BB7589298BA7B9ACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.874{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.874{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.811{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.811{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.811{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.811{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.811{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.811{D419E45B-F549-60B8-2C51-00000000C401}51361368C:\Windows\system32\cmd.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.772{D419E45B-F549-60B8-2D51-00000000C401}2304C:\Temp\winrar.exe5.80.0WinRAR archiverWinRARAlexander RoshalWinRAR.exec:\temp\winrar.exe /SC:\temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=77A8262F663B05F79EEC697F729F4BEA,SHA256=D83CC3C5F2944397ACFAC06835DABA9DE8B968032262CC58B270DF5B04B27E04,IMPHASH=E2A1496C94D52A035FE47259EE6587B7{D419E45B-F549-60B8-2C51-00000000C401}5136C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\temp\winrar.exe /S 10341000x8000000000000000670318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.764{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-F549-60B8-2C51-00000000C401}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.749{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.749{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.749{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.749{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.749{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-F549-60B8-2C51-00000000C401}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.749{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-F549-60B8-2C51-00000000C401}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000670311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.746{D419E45B-F549-60B8-2C51-00000000C401}5136C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c c:\temp\winrar.exe /SC:\temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000670535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.938{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1609378B6A8C16FF850C8ECDA0E6A14,SHA256=27077D3CEEF6AD9E3597376138EAF9BDA8B907A7407D16DD64336E8DB697ABF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614004Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:11.094{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50968-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614003Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:14.091{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F34DD7CE20DC3169F9D5C919ACCAFC,SHA256=46EF90484E51FAD19DF5B8A839CADD20AC5E4B2A936701982AEF2D8EE929048F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.842{D419E45B-F54A-60B8-3151-00000000C401}49526356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.828{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECC7AD88CBB2BB9C93329A3811A58E2E,SHA256=65516179AEC9A2AF0779358902462704AD44E10EEFE58042DF1D138E409F3ACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.764{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.764{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.764{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.749{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E19DC3C57575157C6313C26ABF529156,SHA256=14E13F26B8224B021EF0A6706155100F31F0126FE96AEC12B0075E6DAFDBFE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.749{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC1CC6F20364369CEA9AD7CD86EED052,SHA256=A8A4C9DE298092995DC1C7F3CBF5D349569809DF9F9E92A6B813B6BF086A775E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.717{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.655{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8091AD6952F20ADBB12CE8915330838D,SHA256=B858F3AF24C324EA67879F56C444CE4B93AFFA21F311612AAB959E204E0F9A0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.639{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F54A-60B8-3151-00000000C401}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.624{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.624{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.624{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.624{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.624{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F54A-60B8-3151-00000000C401}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.624{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F54A-60B8-3151-00000000C401}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.626{D419E45B-F54A-60B8-3151-00000000C401}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.624{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80B0F2B25C23DF7805F75CB25276A4D,SHA256=C572116660A90BD11982656DA44DC784675B79D9B444BFB6418B749E8D061624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.592{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110002DE339C3C10C386B9396F81EC90,SHA256=17BE59D872CBB17CB06829F1CED74406848231A6AC2D91DB3DC4CC25A742CA47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.563{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.563{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-752F-60B6-1000-00000000C401}4166524C:\Windows\System32\svchost.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000670512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDBSetValue2021-06-03 15:29:14.499{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exeHKU\S-1-5-21-3762655356-77726385-4168110057-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\WinRAR\th.exeBinary Data 10341000x8000000000000000670511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-752F-60B6-1000-00000000C401}4166692C:\Windows\System32\svchost.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-752F-60B6-1000-00000000C401}4166692C:\Windows\System32\svchost.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.499{D419E45B-F549-60B8-2D51-00000000C401}23046400c:\temp\winrar.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+8e49f|C:\Windows\System32\SHELL32.dll+8e32c|C:\Windows\System32\SHELL32.dll+8e07c|C:\Windows\System32\SHELL32.dll+11c467|C:\Windows\System32\SHELL32.dll+11c3c5|c:\temp\winrar.exe+21210|c:\temp\winrar.exe+1ffd3|c:\temp\winrar.exe+1f3c1|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000670503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.484{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe1.0.0.1thank you notifierWinRAR - Thank youwin.rar GmbHth.exe"C:\Program Files\WinRAR\th.exe" -lng English -src wrr -lp thankyou -ver 580 -arch 64 -dom notifier.win-rar.com /SC:\Program Files\WinRAR\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=5657F521356461758DF8658043CF6142,SHA256=BC642DBE66B4A11A1836079A923FEDDF5F820CAA84077BF597D515B12AE57DC9,IMPHASH=E16FCB53D3FA776BF7BBE936C9A73B41{D419E45B-F549-60B8-2D51-00000000C401}2304C:\Temp\winrar.exec:\temp\winrar.exe /S 10341000x8000000000000000670502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.452{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.452{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000670496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver\Publisherwin.rar GmbH 23542300x8000000000000000670495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6E200EEA409542FE12F94D1547662A,SHA256=DB3F79AEF90233CD94A81A9718B5736C4038BA1A5623EA9A63E9AA83EBE4EA8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 10341000x8000000000000000670489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 11241100x8000000000000000670486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\What is new in the latest version.lnk2021-06-03 15:29:14.436 10341000x8000000000000000670485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 10341000x8000000000000000670481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 11241100x8000000000000000670477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.436{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\Console RAR manual.lnk2021-06-03 15:29:14.436 10341000x8000000000000000670476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 10341000x8000000000000000670472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 11241100x8000000000000000670468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR help.lnk2021-06-03 15:29:14.420 10341000x8000000000000000670467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 10341000x8000000000000000670463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2fc5|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 11241100x8000000000000000670459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk2021-06-03 15:29:14.420 11241100x8000000000000000670458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR2021-06-03 15:29:14.420 10341000x8000000000000000670457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 10341000x8000000000000000670453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 11241100x8000000000000000670449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\What is new in the latest version.lnk2021-06-03 15:29:14.420 10341000x8000000000000000670448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 10341000x8000000000000000670444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 11241100x8000000000000000670440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\Console RAR manual.lnk2021-06-03 15:29:14.420 10341000x8000000000000000670439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 10341000x8000000000000000670435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 11241100x8000000000000000670431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR help.lnk2021-06-03 15:29:14.420 10341000x8000000000000000670430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 10341000x8000000000000000670426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x8000000000000000670423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.420{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Program Files\WinRAR\uninstall.exe+9fe4|C:\Program Files\WinRAR\uninstall.exe+2da0|C:\Program Files\WinRAR\uninstall.exe+1c45|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8) 11241100x8000000000000000670422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.405{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk2021-06-03 15:29:14.405 11241100x8000000000000000670421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10232021-06-03 15:29:14.389{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR2021-06-03 15:29:14.389 10341000x8000000000000000670420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.374{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Program Files\WinRAR\uninstall.exe+34c4|C:\Program Files\WinRAR\uninstall.exe+1bea|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B)|UNKNOWN(FFFF8493314B8134)|UNKNOWN(FFFF8493314B7FFB)|UNKNOWN(FFFFF803A4570E03)|C:\Windows\System32\win32u.dll+1184 10341000x8000000000000000670419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.374{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Program Files\WinRAR\uninstall.exe+34c4|C:\Program Files\WinRAR\uninstall.exe+1bea|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B)|UNKNOWN(FFFF8493314B8134)|UNKNOWN(FFFF8493314B7FFB)|UNKNOWN(FFFFF803A4570E03)|C:\Windows\System32\win32u.dll+1184 10341000x8000000000000000670418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.374{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Program Files\WinRAR\uninstall.exe+34c4|C:\Program Files\WinRAR\uninstall.exe+1bea|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.374{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Program Files\WinRAR\uninstall.exe+34c4|C:\Program Files\WinRAR\uninstall.exe+1bea|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B)|UNKNOWN(FFFF8493314B8134) 13241300x8000000000000000670416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT1042SetValue2021-06-03 15:29:14.374{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\WinRAR.REV\shell\open\command\(Default)"C:\Program Files\WinRAR\WinRAR.exe" "%%1" 13241300x8000000000000000670415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT1042SetValue2021-06-03 15:29:14.374{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\WinRAR.ZIP\shell\open\command\(Default)"C:\Program Files\WinRAR\WinRAR.exe" "%%1" 13241300x8000000000000000670414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT1042SetValue2021-06-03 15:29:14.374{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\WinRAR\shell\open\command\(Default)"C:\Program Files\WinRAR\WinRAR.exe" "%%1" 10341000x8000000000000000670413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Program Files\WinRAR\uninstall.exe+257a|C:\Program Files\WinRAR\uninstall.exe+1bd9|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B)|UNKNOWN(FFFF8493314B8134)|UNKNOWN(FFFF8493314B7FFB)|UNKNOWN(FFFFF803A4570E03)|C:\Windows\System32\win32u.dll+1184 10341000x8000000000000000670412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Program Files\WinRAR\uninstall.exe+257a|C:\Program Files\WinRAR\uninstall.exe+1bd9|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B)|UNKNOWN(FFFF8493314B8134)|UNKNOWN(FFFF8493314B7FFB)|UNKNOWN(FFFFF803A4570E03)|C:\Windows\System32\win32u.dll+1184 10341000x8000000000000000670411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Program Files\WinRAR\uninstall.exe+257a|C:\Program Files\WinRAR\uninstall.exe+1bd9|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Program Files\WinRAR\uninstall.exe+257a|C:\Program Files\WinRAR\uninstall.exe+1bd9|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B)|UNKNOWN(FFFF8493314B8134) 10341000x8000000000000000670409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+60bba|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Program Files\WinRAR\uninstall.exe+257a|C:\Program Files\WinRAR\uninstall.exe+1bd9|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 10341000x8000000000000000670408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+60ba8|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Program Files\WinRAR\uninstall.exe+257a|C:\Program Files\WinRAR\uninstall.exe+1bd9|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72) 10341000x8000000000000000670407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}70043572C:\Program Files\WinRAR\uninstall.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+60ba8|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Program Files\WinRAR\uninstall.exe+257a|C:\Program Files\WinRAR\uninstall.exe+1bd9|C:\Program Files\WinRAR\uninstall.exe+aa4f|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803A48598C8)|UNKNOWN(FFFF8493314B4A68)|UNKNOWN(FFFF8493314B4C72)|UNKNOWN(FFFF8493314B756B) 13241300x8000000000000000670406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B41DB860-64E4-11D2-9906-E49FADC173CA}WinRAR shell extension 13241300x8000000000000000670405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\lnkfile\shellex\ContextMenuHandlers\WinRAR\(Default){B41DB860-64E4-11D2-9906-E49FADC173CA} 13241300x8000000000000000670404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\Folder\shellex\ContextMenuHandlers\WinRAR\(Default){B41DB860-64E4-11D2-9906-E49FADC173CA} 13241300x8000000000000000670403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\*\shellex\ContextMenuHandlers\WinRAR\(Default){B41DB860-64E4-11D2-9906-E49FADC173CA} 13241300x8000000000000000670402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT1042SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\(Default)(Empty) 13241300x8000000000000000670401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\(Default)(Empty) 13241300x8000000000000000670400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\(Default)(Empty) 13241300x8000000000000000670399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT1122SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\(Default)C:\Program Files\WinRAR\rarext.dll 13241300x8000000000000000670398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B41DB860-8EE4-11D2-9906-E49FADC173CA}WinRAR shell extension 13241300x8000000000000000670397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\lnkfile\shellex\ContextMenuHandlers\WinRAR32\(Default){B41DB860-8EE4-11D2-9906-E49FADC173CA} 13241300x8000000000000000670396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\Folder\shellex\ContextMenuHandlers\WinRAR32\(Default){B41DB860-8EE4-11D2-9906-E49FADC173CA} 13241300x8000000000000000670395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\*\shellex\ContextMenuHandlers\WinRAR32\(Default){B41DB860-8EE4-11D2-9906-E49FADC173CA} 13241300x8000000000000000670394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT1042SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\(Default)(Empty) 13241300x8000000000000000670393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\(Default)(Empty) 13241300x8000000000000000670392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\(Default)(Empty) 13241300x8000000000000000670391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT1122SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKCR\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\(Default)C:\Program Files\WinRAR\rarext32.dll 13241300x8000000000000000670390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe\PathC:\Program Files\WinRAR 13241300x8000000000000000670389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe\(Default)C:\Program Files\WinRAR\WinRAR.exe 13241300x8000000000000000670388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe\PathC:\Program Files\WinRAR 13241300x8000000000000000670387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:29:14.358{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe\(Default)C:\Program Files\WinRAR\WinRAR.exe 10341000x8000000000000000670386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.342{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.342{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.342{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.342{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.342{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.342{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.327{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.327{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.311{D419E45B-752F-60B6-1000-00000000C401}4166524C:\Windows\System32\svchost.exe{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.311{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.311{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.295{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.295{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000670373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:14.295{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{c5109682-273e-70aa-43c2-d5d2f3cd36f8}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\BinProductVersion5.80.0.0 13241300x8000000000000000670372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:14.295{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{c5109682-273e-70aa-43c2-d5d2f3cd36f8}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\LinkDate12/05/2019 07:37:10 13241300x8000000000000000670371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:14.295{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{c5109682-273e-70aa-43c2-d5d2f3cd36f8}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\Publisheralexander roshal 13241300x8000000000000000670370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:14.295{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{c5109682-273e-70aa-43c2-d5d2f3cd36f8}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\LowerCaseLongPathc:\program files\winrar\uninstall.exe 13241300x8000000000000000670369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDBSetValue2021-06-03 15:29:14.280{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exeHKU\S-1-5-21-3762655356-77726385-4168110057-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\WinRAR\Uninstall.exeBinary Data 10341000x8000000000000000670368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.280{D419E45B-752F-60B6-1000-00000000C401}4166692C:\Windows\System32\svchost.exe{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.280{D419E45B-752F-60B6-1000-00000000C401}4166692C:\Windows\System32\svchost.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.233{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.217{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.217{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.217{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.217{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.217{D419E45B-F549-60B8-2D51-00000000C401}23046400c:\temp\winrar.exe{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\uninstall.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+8e49f|C:\Windows\System32\SHELL32.dll+8e32c|C:\Windows\System32\SHELL32.dll+8e07c|C:\Windows\System32\SHELL32.dll+11c467|C:\Windows\System32\SHELL32.dll+11c3c5|c:\temp\winrar.exe+21210|c:\temp\winrar.exe+1ffd3|c:\temp\winrar.exe+1f3c1|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000670360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.228{D419E45B-F54A-60B8-2F51-00000000C401}7004C:\Program Files\WinRAR\Uninstall.exe5.80.0Uninstall WinRARWinRARAlexander RoshalUninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setupC:\Program Files\WinRAR\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=9012FE48CA87F4DA9FC8E03390DB533A,SHA256=2A5F504084C7FEC9D612B28AF1062073ABBC5C4D160D1F967FEF31DF8CFFBD0D,IMPHASH=D9447886EBA9EFDB055829AB57876F10{D419E45B-F549-60B8-2D51-00000000C401}2304C:\Temp\winrar.exec:\temp\winrar.exe /S 10341000x8000000000000000670359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.217{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.217{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.202{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C983C387A4E05D5FBF82CF996ACE0536,SHA256=97243BD15248C6BB06314CDD7E522B7ACEDB103B0779D6806C2205B597B3160C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.170{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000670355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.139{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\WinRAR.chm2021-06-03 15:29:14.139 11241100x8000000000000000670354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localDLL2021-06-03 15:29:14.108{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\RarExt32.dll2021-06-03 15:29:14.108 10341000x8000000000000000670353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.108{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F54A-60B8-2E51-00000000C401}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.108{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.108{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.108{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.108{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.108{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F54A-60B8-2E51-00000000C401}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 11241100x8000000000000000670347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localDLL2021-06-03 15:29:14.108{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\RarExt.dll2021-06-03 15:29:14.108 10341000x8000000000000000670346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.092{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F54A-60B8-2E51-00000000C401}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.093{D419E45B-F54A-60B8-2E51-00000000C401}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000670344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localDLL2021-06-03 15:29:14.092{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\7zxa.dll2021-06-03 15:29:14.092 11241100x8000000000000000670343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 15:29:14.077{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\WinRAR.exe2021-06-03 15:29:14.077 11241100x8000000000000000670342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 15:29:14.077{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\UnRAR.exe2021-06-03 15:29:14.077 11241100x8000000000000000670341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 15:29:14.077{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\Uninstall.exe2021-06-03 15:29:14.077 11241100x8000000000000000670340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 15:29:14.030{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\th.exe2021-06-03 15:29:14.030 11241100x8000000000000000670339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 15:29:14.015{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\Rar.exe2021-06-03 15:29:14.015 11241100x8000000000000000670338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.015{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\WhatsNew.txt2021-06-03 15:29:14.015 11241100x8000000000000000670337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.015{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\Rar.txt2021-06-03 15:29:14.015 11241100x8000000000000000670336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.015{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\License.txt2021-06-03 15:29:14.015 11241100x8000000000000000670335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.015{D419E45B-F549-60B8-2D51-00000000C401}2304c:\temp\winrar.exeC:\Program Files\WinRAR\ReadMe.txt2021-06-03 15:29:14.015 10341000x8000000000000000670602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.967{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F54B-60B8-3451-00000000C401}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.952{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.952{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.952{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.952{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.952{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F54B-60B8-3451-00000000C401}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.952{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F54B-60B8-3451-00000000C401}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.831{D419E45B-F54B-60B8-3451-00000000C401}7048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.827{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6156F31BF4FD28B8A68276329EB0ADC,SHA256=E0F924C695F894C503060991959F4CF25C033C26647F5C2508882C6EA7043829,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.389{D419E45B-F54B-60B8-3351-00000000C401}60005180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000670592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:11.339{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51351- 354300x8000000000000000670591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:11.301{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51902-false151.139.128.14-80http 354300x8000000000000000670590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:11.292{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-233.attackrange.local61599-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x8000000000000000670589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:11.292{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local55790- 13241300x8000000000000000670588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\winrar.exe|55dc552369664f2a\BinProductVersion5.80.0.0 13241300x8000000000000000670587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\winrar.exe|55dc552369664f2a\LinkDate12/05/2019 07:36:33 13241300x8000000000000000670586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\winrar.exe|55dc552369664f2a\Publisheralexander roshal 13241300x8000000000000000670585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\winrar.exe|55dc552369664f2a\LowerCaseLongPathc:\program files\winrar\winrar.exe 13241300x8000000000000000670584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\unrar.exe|8e19d469532ee600\BinProductVersion5.80.0.0 13241300x8000000000000000670583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\unrar.exe|8e19d469532ee600\LinkDate12/05/2019 07:36:49 13241300x8000000000000000670582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\unrar.exe|8e19d469532ee600\Publisheralexander roshal 13241300x8000000000000000670581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\unrar.exe|8e19d469532ee600\LowerCaseLongPathc:\program files\winrar\unrar.exe 13241300x8000000000000000670580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\BinProductVersion5.80.0.0 13241300x8000000000000000670579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\LinkDate12/05/2019 07:37:10 13241300x8000000000000000670578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\Publisheralexander roshal 13241300x8000000000000000670577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\LowerCaseLongPathc:\program files\winrar\uninstall.exe 13241300x8000000000000000670576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\th.exe|e1ec9010f70d4bd1\BinProductVersion1.0.0.1 13241300x8000000000000000670575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\th.exe|e1ec9010f70d4bd1\LinkDate09/21/2018 10:02:36 13241300x8000000000000000670574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\th.exe|e1ec9010f70d4bd1\Publisherwin.rar gmbh 13241300x8000000000000000670573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\th.exe|e1ec9010f70d4bd1\LowerCaseLongPathc:\program files\winrar\th.exe 13241300x8000000000000000670572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\rar.exe|ac12d647dca13730\BinProductVersion5.80.0.0 13241300x8000000000000000670571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\rar.exe|ac12d647dca13730\LinkDate12/05/2019 07:36:42 13241300x8000000000000000670570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\rar.exe|ac12d647dca13730\Publisheralexander roshal 13241300x8000000000000000670569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\rar.exe|ac12d647dca13730\LowerCaseLongPathc:\program files\winrar\rar.exe 13241300x8000000000000000670568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:15.327{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplication\00000419bb2c554aabeba2bc999e5e47a08400000000\Publisherwin.rar GmbH 13241300x8000000000000000670567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:15.311{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\BinProductVersion(Empty) 13241300x8000000000000000670566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:15.311{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\LinkDate(Empty) 13241300x8000000000000000670565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:15.311{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\Publisheralexander roshal 13241300x8000000000000000670564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:15.311{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe\REGISTRY\A\{2d431c47-e451-2536-daa6-3bf998856af3}\Root\InventoryApplicationFile\uninstall.exe|73037c8557b99221\LowerCaseLongPathc:\program files\winrar\uninstall.exe 10341000x8000000000000000670563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.217{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F54B-60B8-3351-00000000C401}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.217{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.217{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.217{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.217{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.217{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F54B-60B8-3351-00000000C401}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.202{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F54B-60B8-3351-00000000C401}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.207{D419E45B-F54B-60B8-3351-00000000C401}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.202{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30E186E6417465C91F893589EAEB8C88,SHA256=93D817D01D8C3892C5D1E7DE7BE2A88B7F938AD7534CA4B803FD8D3C13BFCD11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.155{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.155{D419E45B-78A4-60B6-BF02-00000000C401}39765032C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.155{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.155{D419E45B-78A4-60B6-BF02-00000000C401}39765032C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.155{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.155{D419E45B-78A4-60B6-BF02-00000000C401}39765032C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.139{D419E45B-78A4-60B6-BF02-00000000C401}39765032C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.092{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-F54B-60B8-3251-00000000C401}2520C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.092{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-F54B-60B8-3251-00000000C401}2520C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.092{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-F54B-60B8-3251-00000000C401}2520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.077{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-F54B-60B8-3251-00000000C401}2520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.077{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F54B-60B8-3251-00000000C401}2520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.077{D419E45B-752F-60B6-0C00-00000000C401}8486556C:\Windows\system32\svchost.exe{D419E45B-F54B-60B8-3251-00000000C401}2520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.014{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.014{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.014{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.014{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.014{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.014{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614005Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:15.091{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F9E319B8A2CCEF6EE08BAA7916F7E0,SHA256=4F5275FEABED5BF53E93478B705E9E8163371EF4FF1397A0299514D844AB62DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71795A8FAF148A68C1DFE48EB3015520,SHA256=F71506DFFF7A105B1592BA77995868C819EEA00CF5967EB7900FD69B4010F6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11CF8A2FBCDDA0C24016E02F3260E4E4,SHA256=E7AB12F2FCE25E0B4E175331B68B9A4D6119DF71881D735C8540AE56CB75C94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20621646C31EE9257D400FDBAFB511B4,SHA256=E6DB4DFF2997D7A6F96853DAAA788B6F2CABB1D43F25197EB26E298FCF91C909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.952{D419E45B-F54C-60B8-3851-00000000C401}50565276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.889{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000670648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.739{D419E45B-F54A-60B8-3051-00000000C401}6884r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:23.221.223.11;::ffff:23.221.223.26;C:\Program Files\WinRAR\th.exe 13241300x8000000000000000670647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:16.889{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\000027bb02f51e48dc3e0db3390b300af68d00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 22542200x8000000000000000670646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.705{D419E45B-F54A-60B8-3051-00000000C401}6884crl.identrust.com0type: 5 identrust.edgesuite.net;type: 5 a1952.dscq.akamai.net;::ffff:23.59.188.104;::ffff:23.59.188.112;C:\Program Files\WinRAR\th.exe 10341000x8000000000000000670645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.889{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000670644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.341{D419E45B-F54A-60B8-3051-00000000C401}6884notifier.win-rar.com0::ffff:51.195.68.173;C:\Program Files\WinRAR\th.exe 10341000x8000000000000000670643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.889{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000670642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.036{D419E45B-753F-60B6-2C00-00000000C401}3020crl.comodoca.com0::ffff:151.139.128.14;C:\Windows\sysmon64.exe 10341000x8000000000000000670641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.764{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F54C-60B8-3851-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.764{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.764{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.764{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.764{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.764{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F54C-60B8-3851-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.764{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F54C-60B8-3851-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.624{D419E45B-F54C-60B8-3851-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000670633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.670{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.577{D419E45B-752D-60B6-0A00-00000000C401}620436C:\Windows\system32\services.exe{D419E45B-F54C-60B8-3751-00000000C401}2576C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.577{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F54C-60B8-3751-00000000C401}2576C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.577{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F54C-60B8-3751-00000000C401}2576C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.577{D419E45B-752D-60B6-0A00-00000000C401}620716C:\Windows\system32\services.exe{D419E45B-F54C-60B8-3751-00000000C401}2576C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.561{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-752D-60B6-0A00-00000000C401}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.561{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.561{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.561{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-752D-60B6-0A00-00000000C401}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.545{D419E45B-752F-60B6-1200-00000000C401}4801636C:\Windows\system32\svchost.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.499{D419E45B-F54C-60B8-3651-00000000C401}2628992C:\Windows\system32\conhost.exe{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.499{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F54C-60B8-3651-00000000C401}2628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.483{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.483{D419E45B-752F-60B6-1000-00000000C401}4165564C:\Windows\System32\svchost.exe{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.483{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.483{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.483{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.483{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.483{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000670614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDBSetValue2021-06-03 15:29:16.468{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exeHKU\S-1-5-21-3762655356-77726385-4168110057-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\WinRAR\Uninstall.exeBinary Data 11241100x8000000000000000670613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.468{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exeC:\Windows\appcompat\Programs\Install\INSTALL_ffff_4630c435-c0e9-4faa-98eb-17ed732fb74f.txt2021-06-03 15:29:16.468 11241100x8000000000000000670612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.468{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exeC:\Windows\appcompat\Programs\Install\INSTALL_0000_4630c435-c0e9-4faa-98eb-17ed732fb74f.txt2021-06-03 15:29:16.468 354300x8000000000000000670611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.514{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59367- 354300x8000000000000000670610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.514{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9860:c3a0:a8a:ffff-59367-true7f00:1:0:0:0:0:0:0-53domain 23542300x8000000000000000614006Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:16.091{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45A7646F4FE9590D08B4272745DA8A5,SHA256=A1D2B58EA039846113FF622AED3345AA568D20B9EDF9ECF2D0F78C3FDE73AC74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.484{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local59367- 354300x8000000000000000670608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:11.348{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51903-false151.139.128.14-80http 23542300x8000000000000000670607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.327{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A1E4542EE5A752149C21D28D8CCA68D8,SHA256=E978A09444C86F1F0DCCCBE3A43D9C928D62C5485F8D346B4483AF9BD43788E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.327{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=89EEFCBC448A1EAC89033FC279472D2D,SHA256=98135C12F0DC18C7D553A2C8878671DA05E6491DF3E643512F9DC96BA017841F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.327{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E968E927BFC132D6007DF3D4905E82E,SHA256=FB217E34ED3B1497EE50ECB5BF11E6CBC1E2C0B4AB2DED306AA64CB7D7275A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.124{D419E45B-F54B-60B8-3451-00000000C401}70485744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:16.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD53F9C922452489BE836C7618AE331,SHA256=C241F640C0F77D616211EBE94A6E5542ECD804BFFD9BA283E9788A52DC2F21D3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000670692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\BinProductVersion19.0.0.0 13241300x8000000000000000670691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LinkDate02/21/2019 17:00:00 13241300x8000000000000000670690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\Publisherigor pavlov 13241300x8000000000000000670689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LowerCaseLongPathc:\program files\7-zip\uninstall.exe 13241300x8000000000000000670688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\BinProductVersion19.0.0.0 13241300x8000000000000000670687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LinkDate02/21/2019 16:00:00 13241300x8000000000000000670686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\Publisherigor pavlov 13241300x8000000000000000670685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LowerCaseLongPathc:\program files\7-zip\7zg.exe 13241300x8000000000000000670684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\BinProductVersion19.0.0.0 13241300x8000000000000000670683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LinkDate02/21/2019 16:00:00 13241300x8000000000000000670682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\Publisherigor pavlov 13241300x8000000000000000670681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LowerCaseLongPathc:\program files\7-zip\7zfm.exe 13241300x8000000000000000670680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\BinProductVersion19.0.0.0 13241300x8000000000000000670679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LinkDate02/21/2019 16:00:00 13241300x8000000000000000670678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\Publisherigor pavlov 13241300x8000000000000000670677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LowerCaseLongPathc:\program files\7-zip\7z.exe 13241300x8000000000000000670676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.686{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\000062e2a9e9b14ba03c6c34d99bd37d04a50000ffff\PublisherIgor Pavlov 23542300x8000000000000000670675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.561{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A1E4542EE5A752149C21D28D8CCA68D8,SHA256=E978A09444C86F1F0DCCCBE3A43D9C928D62C5485F8D346B4483AF9BD43788E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000670674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.499{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\00003312f700c3d03614c2c9f93e32df9af300000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 10341000x8000000000000000670673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.483{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F54D-60B8-3951-00000000C401}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.467{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.467{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.467{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.467{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.467{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F54D-60B8-3951-00000000C401}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.467{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F54D-60B8-3951-00000000C401}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.347{D419E45B-F54D-60B8-3951-00000000C401}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000670665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.033{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local59012- 354300x8000000000000000670664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.999{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49556- 354300x8000000000000000670663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.644{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-59367-false127.0.0.1-53domain 23542300x8000000000000000670662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.420{D419E45B-78A4-60B6-BF02-00000000C401}3976ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.dbMD5=46BE2BBEBEC5B93644578317FC867EB1,SHA256=3EE1D85C81EB2EC05EFE33B6A92C7235C4863FB717C36C36867C45F455E80C0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.420{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000670660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.420{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000670659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.420{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000670658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.420{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000614007Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:17.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E78D0B03D59FFB191D01D369E8F7381,SHA256=C0D39464DF27ED790277122253C225119D8EC03AB3D3E233C3015127AA1AF166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:17.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7938A2A4858B445E07D62E5FCAD2DCA7,SHA256=BD1CA118EBAE2A1D2D1ED5D7CCFC9EB6577FAF91F171220388BCC0AE50CE3904,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000670656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.170{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\00004ee7114ba1c474f7bbd42f8c9f930b0700000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 13241300x8000000000000000670655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.092{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\000068583dc536ea8c3daf81bdbdf12127d400000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 13241300x8000000000000000670654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:17.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\000070aa163b48d93a6fb1c459f613fcd65f00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 13241300x8000000000000000670781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\Publisher(Empty) 13241300x8000000000000000670780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LowerCaseLongPathc:\program files\git\usr\bin\bunzip2.exe 13241300x8000000000000000670779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\BinProductVersion(Empty) 13241300x8000000000000000670778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\Publisher(Empty) 13241300x8000000000000000670776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LowerCaseLongPathc:\program files\git\mingw64\bin\brotli.exe 13241300x8000000000000000670775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\BinProductVersion(Empty) 13241300x8000000000000000670774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\Publisher(Empty) 13241300x8000000000000000670772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LowerCaseLongPathc:\program files\git\mingw64\bin\blocked-file-util.exe 13241300x8000000000000000670771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\BinProductVersion2.31.1.1 13241300x8000000000000000670770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LinkDate03/27/2021 09:48:40 13241300x8000000000000000670769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\Publisherthe git development community 13241300x8000000000000000670768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LowerCaseLongPathc:\program files\git\bin\bash.exe 13241300x8000000000000000670767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\BinProductVersion(Empty) 13241300x8000000000000000670766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LinkDate12/04/2018 10:21:15 13241300x8000000000000000670765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\Publisher(Empty) 13241300x8000000000000000670764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LowerCaseLongPathc:\program files\git\usr\bin\bash.exe 13241300x8000000000000000670763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\BinProductVersion(Empty) 13241300x8000000000000000670762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\Publisher(Empty) 13241300x8000000000000000670760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LowerCaseLongPathc:\program files\git\usr\bin\basenc.exe 13241300x8000000000000000670759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\BinProductVersion(Empty) 13241300x8000000000000000670758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\Publisher(Empty) 13241300x8000000000000000670756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LowerCaseLongPathc:\program files\git\usr\bin\basename.exe 13241300x8000000000000000670755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\BinProductVersion(Empty) 13241300x8000000000000000670754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\Publisher(Empty) 13241300x8000000000000000670752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LowerCaseLongPathc:\program files\git\usr\bin\base64.exe 13241300x8000000000000000670751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\BinProductVersion(Empty) 13241300x8000000000000000670750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\Publisher(Empty) 13241300x8000000000000000670748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LowerCaseLongPathc:\program files\git\usr\bin\base32.exe 13241300x8000000000000000670747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\BinProductVersion(Empty) 13241300x8000000000000000670746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\Publisher(Empty) 13241300x8000000000000000670744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LowerCaseLongPathc:\program files\git\usr\bin\b2sum.exe 13241300x8000000000000000670743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\BinProductVersion(Empty) 13241300x8000000000000000670742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\Publisher(Empty) 13241300x8000000000000000670740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LowerCaseLongPathc:\program files\git\usr\bin\awk.exe 13241300x8000000000000000670739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\BinProductVersion2.0.394.0 13241300x8000000000000000670738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\LinkDate04/29/2104 14:55:02 13241300x8000000000000000670737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\Publisheratlassian.bitbucket.ui 13241300x8000000000000000670736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\atlassian.bitbucket.ui.exe 13241300x8000000000000000670735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\BinProductVersion(Empty) 13241300x8000000000000000670734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\Publisher(Empty) 13241300x8000000000000000670732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LowerCaseLongPathc:\program files\git\usr\bin\arch.exe 13241300x8000000000000000670731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\BinProductVersion(Empty) 13241300x8000000000000000670730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\Publisher(Empty) 13241300x8000000000000000670728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LowerCaseLongPathc:\program files\git\mingw64\bin\antiword.exe 13241300x8000000000000000670727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\BinProductVersion(Empty) 13241300x8000000000000000670726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\Publisher(Empty) 13241300x8000000000000000670724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LowerCaseLongPathc:\program files\git\mingw64\bin\ahost.exe 13241300x8000000000000000670723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\BinProductVersion(Empty) 13241300x8000000000000000670722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\Publisher(Empty) 13241300x8000000000000000670720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LowerCaseLongPathc:\program files\git\mingw64\bin\adig.exe 13241300x8000000000000000670719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\BinProductVersion(Empty) 13241300x8000000000000000670718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\Publisher(Empty) 13241300x8000000000000000670716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LowerCaseLongPathc:\program files\git\mingw64\bin\acountry.exe 13241300x8000000000000000670715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\BinProductVersion(Empty) 13241300x8000000000000000670714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\Publisher(Empty) 13241300x8000000000000000670712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LowerCaseLongPathc:\program files\git\usr\bin\[.exe 13241300x8000000000000000670711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000df264dabd056fd627673f81b364e56d90000ffff\PublisherThe Git Development Community 23542300x8000000000000000670710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.280{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB059796AC1CE303D13E48F797F04A3B,SHA256=1FEC37947A73E0DC842CBB0015A7CA2F2096C6BCFEC0AF2B6CCBB1A2FC7DE13D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.514{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51908-false10.0.1.12-8000- 354300x8000000000000000670708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.016{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local51905-false23.59.188.104a23-59-188-104.deploy.static.akamaitechnologies.com80http 23542300x8000000000000000614008Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:18.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223C831767C5BBFD0E2D7B06D5C270D8,SHA256=B15CE02F9D41C5364307A7907F2C087250155B65C020DDD181C443C1509808BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.233{D419E45B-753F-60B6-2C00-00000000C401}30203084C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.233{D419E45B-753F-60B6-2C00-00000000C401}30203084C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000670705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:12.806{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local51904-false51.195.68.173ip173.ip-51-195-68.eu443https 10341000x8000000000000000670704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.233{D419E45B-753F-60B6-2C00-00000000C401}30203084C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.233{D419E45B-753F-60B6-2C00-00000000C401}30203084C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.202{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F54E-60B8-3A51-00000000C401}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.202{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.202{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.202{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.202{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.202{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F54E-60B8-3A51-00000000C401}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.202{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F54E-60B8-3A51-00000000C401}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.067{D419E45B-F54E-60B8-3A51-00000000C401}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.061{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF0DC3133E5DB26E062BA7375CD07AF7,SHA256=0321168951F0D4CAF0E3DFD0D2A219D58BDE903A0B3AF5245328C7458891BF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.061{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AC7070B26FA5D49FA718A13D7F3CEE,SHA256=BD179C49D0144623B7EBE71DA304F9D284A8F1FADC663476622BB3532492B01E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\BinProductVersion2.31.1.1 13241300x8000000000000000671595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\Publisherthe git development community 13241300x8000000000000000671593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-list.exe 13241300x8000000000000000671592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\BinProductVersion2.31.1.1 13241300x8000000000000000671591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\Publisherthe git development community 13241300x8000000000000000671589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-restore.exe 13241300x8000000000000000671588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\BinProductVersion2.31.1.1 13241300x8000000000000000671587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\Publisherthe git development community 13241300x8000000000000000671585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reset.exe 13241300x8000000000000000671584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\BinProductVersion2.31.1.1 13241300x8000000000000000671583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\Publisherthe git development community 13241300x8000000000000000671581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rerere.exe 13241300x8000000000000000671580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\BinProductVersion2.31.1.1 13241300x8000000000000000671579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\Publisherthe git development community 13241300x8000000000000000671577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-replace.exe 13241300x8000000000000000671576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\BinProductVersion2.31.1.1 13241300x8000000000000000671575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\Publisherthe git development community 13241300x8000000000000000671573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-repack.exe 13241300x8000000000000000671572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\BinProductVersion2.31.1.1 13241300x8000000000000000671571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\Publisherthe git development community 13241300x8000000000000000671569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote.exe 13241300x8000000000000000671568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\BinProductVersion2.31.1.1 13241300x8000000000000000671567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LinkDate03/27/2021 09:56:32 13241300x8000000000000000671566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\Publisherthe git development community 13241300x8000000000000000671565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-https.exe 13241300x8000000000000000671564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\BinProductVersion2.31.1.1 13241300x8000000000000000671563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LinkDate03/27/2021 09:56:32 13241300x8000000000000000671562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\Publisherthe git development community 13241300x8000000000000000671561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-http.exe 13241300x8000000000000000671560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\BinProductVersion2.31.1.1 13241300x8000000000000000671559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LinkDate03/27/2021 09:56:32 13241300x8000000000000000671558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\Publisherthe git development community 13241300x8000000000000000671557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftps.exe 13241300x8000000000000000671556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\BinProductVersion2.31.1.1 13241300x8000000000000000671555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LinkDate03/27/2021 09:56:32 13241300x8000000000000000671554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\Publisherthe git development community 13241300x8000000000000000671553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftp.exe 13241300x8000000000000000671552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\BinProductVersion2.31.1.1 13241300x8000000000000000671551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\Publisherthe git development community 13241300x8000000000000000671549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-fd.exe 13241300x8000000000000000671548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\BinProductVersion2.31.1.1 13241300x8000000000000000671547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\Publisherthe git development community 13241300x8000000000000000671545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ext.exe 13241300x8000000000000000671544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\BinProductVersion2.31.1.1 13241300x8000000000000000671543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\Publisherthe git development community 13241300x8000000000000000671541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reflog.exe 13241300x8000000000000000671540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\BinProductVersion2.31.1.1 13241300x8000000000000000671539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\Publisherthe git development community 13241300x8000000000000000671537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LowerCaseLongPathc:\program files\git\mingw64\bin\git-receive-pack.exe 13241300x8000000000000000671536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\BinProductVersion2.31.1.1 13241300x8000000000000000671535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\Publisherthe git development community 13241300x8000000000000000671533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-receive-pack.exe 13241300x8000000000000000671532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\BinProductVersion2.31.1.1 13241300x8000000000000000671531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\Publisherthe git development community 13241300x8000000000000000671529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rebase.exe 13241300x8000000000000000671528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\BinProductVersion2.31.1.1 13241300x8000000000000000671527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\Publisherthe git development community 13241300x8000000000000000671525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-read-tree.exe 13241300x8000000000000000671524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\BinProductVersion2.31.1.1 13241300x8000000000000000671523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\Publisherthe git development community 13241300x8000000000000000671521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-range-diff.exe 13241300x8000000000000000671520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\BinProductVersion2.31.1.1 13241300x8000000000000000671519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\Publisherthe git development community 13241300x8000000000000000671517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-push.exe 13241300x8000000000000000671516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\BinProductVersion2.31.1.1 13241300x8000000000000000671515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\Publisherthe git development community 13241300x8000000000000000671513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pull.exe 13241300x8000000000000000671512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\BinProductVersion2.31.1.1 13241300x8000000000000000671511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\Publisherthe git development community 13241300x8000000000000000671509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune.exe 13241300x8000000000000000671508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\BinProductVersion2.31.1.1 13241300x8000000000000000671507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\Publisherthe git development community 13241300x8000000000000000671505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune-packed.exe 13241300x8000000000000000671504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\BinProductVersion2.31.1.1 13241300x8000000000000000671503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\Publisherthe git development community 13241300x8000000000000000671501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-patch-id.exe 13241300x8000000000000000671500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\BinProductVersion2.31.1.1 13241300x8000000000000000671499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\Publisherthe git development community 13241300x8000000000000000671497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-refs.exe 13241300x8000000000000000671496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\BinProductVersion2.31.1.1 13241300x8000000000000000671495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\Publisherthe git development community 13241300x8000000000000000671493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-redundant.exe 13241300x8000000000000000671492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\BinProductVersion2.31.1.1 13241300x8000000000000000671491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\Publisherthe git development community 13241300x8000000000000000671489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-objects.exe 13241300x8000000000000000671488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\BinProductVersion2.31.1.1 13241300x8000000000000000671487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\Publisherthe git development community 13241300x8000000000000000671485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-notes.exe 13241300x8000000000000000671484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\BinProductVersion2.31.1.1 13241300x8000000000000000671483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\Publisherthe git development community 13241300x8000000000000000671481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-name-rev.exe 13241300x8000000000000000671480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\BinProductVersion2.31.1.1 13241300x8000000000000000671479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\Publisherthe git development community 13241300x8000000000000000671477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mv.exe 13241300x8000000000000000671476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\BinProductVersion2.31.1.1 13241300x8000000000000000671475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\Publisherthe git development community 13241300x8000000000000000671473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-multi-pack-index.exe 13241300x8000000000000000671472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\BinProductVersion2.31.1.1 13241300x8000000000000000671471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\Publisherthe git development community 13241300x8000000000000000671469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktree.exe 13241300x8000000000000000671468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\BinProductVersion2.31.1.1 13241300x8000000000000000671467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\Publisherthe git development community 13241300x8000000000000000671465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktag.exe 13241300x8000000000000000671464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\BinProductVersion2.31.1.1 13241300x8000000000000000671463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\Publisherthe git development community 13241300x8000000000000000671461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge.exe 13241300x8000000000000000671460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\BinProductVersion2.31.1.1 13241300x8000000000000000671459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\Publisherthe git development community 13241300x8000000000000000671457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-tree.exe 13241300x8000000000000000671456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\BinProductVersion2.31.1.1 13241300x8000000000000000671455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\Publisherthe git development community 13241300x8000000000000000671453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-subtree.exe 13241300x8000000000000000671452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\BinProductVersion2.31.1.1 13241300x8000000000000000671451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\Publisherthe git development community 13241300x8000000000000000671449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-recursive.exe 13241300x8000000000000000671448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\BinProductVersion2.31.1.1 13241300x8000000000000000671447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\Publisherthe git development community 13241300x8000000000000000671445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-ours.exe 13241300x8000000000000000671444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\BinProductVersion2.31.1.1 13241300x8000000000000000671443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\Publisherthe git development community 13241300x8000000000000000671441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-index.exe 13241300x8000000000000000671440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\BinProductVersion2.31.1.1 13241300x8000000000000000671439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\Publisherthe git development community 13241300x8000000000000000671437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-file.exe 13241300x8000000000000000671436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\BinProductVersion2.31.1.1 13241300x8000000000000000671435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\Publisherthe git development community 13241300x8000000000000000671433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-base.exe 13241300x8000000000000000671432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\BinProductVersion2.31.1.1 13241300x8000000000000000671431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\Publisherthe git development community 13241300x8000000000000000671429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-maintenance.exe 13241300x8000000000000000671428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\BinProductVersion2.31.1.1 13241300x8000000000000000671427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\Publisherthe git development community 13241300x8000000000000000671425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailsplit.exe 13241300x8000000000000000671424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\BinProductVersion2.31.1.1 13241300x8000000000000000671423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\Publisherthe git development community 13241300x8000000000000000671421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailinfo.exe 13241300x8000000000000000671420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\BinProductVersion2.31.1.1 13241300x8000000000000000671419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\Publisherthe git development community 13241300x8000000000000000671417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-tree.exe 13241300x8000000000000000671416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\BinProductVersion2.31.1.1 13241300x8000000000000000671415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\Publisherthe git development community 13241300x8000000000000000671413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-remote.exe 13241300x8000000000000000671412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\BinProductVersion2.31.1.1 13241300x8000000000000000671411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\Publisherthe git development community 13241300x8000000000000000671409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-files.exe 13241300x8000000000000000671408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\BinProductVersion2.31.1.1 13241300x8000000000000000671407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\Publisherthe git development community 13241300x8000000000000000671405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-log.exe 13241300x8000000000000000671404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\BinProductVersion0.0.0.0 13241300x8000000000000000671403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\Publisher(Empty) 13241300x8000000000000000671401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-lfs.exe 13241300x8000000000000000671400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\BinProductVersion2.31.1.1 13241300x8000000000000000671399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LinkDate03/27/2021 09:48:40 13241300x8000000000000000671398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\Publisherthe git development community 13241300x8000000000000000671397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LowerCaseLongPathc:\program files\git\cmd\git-lfs.exe 13241300x8000000000000000671396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\BinProductVersion2.31.1.1 13241300x8000000000000000671395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\Publisherthe git development community 13241300x8000000000000000671393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-interpret-trailers.exe 13241300x8000000000000000671392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\BinProductVersion2.31.1.1 13241300x8000000000000000671391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\Publisherthe git development community 13241300x8000000000000000671389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init.exe 13241300x8000000000000000671388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\BinProductVersion2.31.1.1 13241300x8000000000000000671387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\Publisherthe git development community 13241300x8000000000000000671385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init-db.exe 13241300x8000000000000000671384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\BinProductVersion2.31.1.1 13241300x8000000000000000671383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\Publisherthe git development community 13241300x8000000000000000671381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-index-pack.exe 13241300x8000000000000000671380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\BinProductVersion2.31.1.1 13241300x8000000000000000671379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LinkDate03/27/2021 09:56:26 13241300x8000000000000000671378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\Publisherthe git development community 13241300x8000000000000000671377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-imap-send.exe 13241300x8000000000000000671376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\BinProductVersion2.31.1.1 13241300x8000000000000000671375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LinkDate03/27/2021 09:56:32 13241300x8000000000000000671374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\Publisherthe git development community 13241300x8000000000000000671373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-push.exe 13241300x8000000000000000671372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\BinProductVersion2.31.1.1 13241300x8000000000000000671371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LinkDate03/27/2021 09:56:30 13241300x8000000000000000671370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.967{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\Publisherthe git development community 13241300x8000000000000000671369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-fetch.exe 13241300x8000000000000000671368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\BinProductVersion2.31.1.1 13241300x8000000000000000671367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LinkDate03/27/2021 09:56:26 13241300x8000000000000000671366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\Publisherthe git development community 13241300x8000000000000000671365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-backend.exe 13241300x8000000000000000671364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\BinProductVersion2.31.1.1 13241300x8000000000000000671363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\Publisherthe git development community 13241300x8000000000000000671361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-help.exe 13241300x8000000000000000671360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\BinProductVersion2.31.1.1 13241300x8000000000000000671359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\Publisherthe git development community 13241300x8000000000000000671357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-hash-object.exe 13241300x8000000000000000671356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\BinProductVersion2.31.1.1 13241300x8000000000000000671355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LinkDate03/27/2021 09:48:41 13241300x8000000000000000671354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\Publisherthe git development community 13241300x8000000000000000671353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LowerCaseLongPathc:\program files\git\cmd\git-gui.exe 13241300x8000000000000000671352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\BinProductVersion2.31.1.1 13241300x8000000000000000671351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\Publisherthe git development community 13241300x8000000000000000671349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-grep.exe 13241300x8000000000000000671348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\BinProductVersion2.31.1.1 13241300x8000000000000000671347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\Publisherthe git development community 13241300x8000000000000000671345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-get-tar-commit-id.exe 13241300x8000000000000000671344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\BinProductVersion2.31.1.1 13241300x8000000000000000671343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\Publisherthe git development community 13241300x8000000000000000671341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-gc.exe 13241300x8000000000000000671340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\BinProductVersion2.31.1.1 13241300x8000000000000000671339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\Publisherthe git development community 13241300x8000000000000000671337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsmonitor--daemon.exe 13241300x8000000000000000671336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\BinProductVersion2.31.1.1 13241300x8000000000000000671335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\Publisherthe git development community 13241300x8000000000000000671333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck.exe 13241300x8000000000000000671332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\BinProductVersion2.31.1.1 13241300x8000000000000000671331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\Publisherthe git development community 13241300x8000000000000000671329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck-objects.exe 13241300x8000000000000000671328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\BinProductVersion2.31.1.1 13241300x8000000000000000671327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\Publisherthe git development community 13241300x8000000000000000671325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-format-patch.exe 13241300x8000000000000000671324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\BinProductVersion2.31.1.1 13241300x8000000000000000671323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\Publisherthe git development community 13241300x8000000000000000671321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-repo.exe 13241300x8000000000000000671320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\BinProductVersion2.31.1.1 13241300x8000000000000000671319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\Publisherthe git development community 13241300x8000000000000000671317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-ref.exe 13241300x8000000000000000671316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\BinProductVersion2.31.1.1 13241300x8000000000000000671315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\Publisherthe git development community 13241300x8000000000000000671313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fmt-merge-msg.exe 13241300x8000000000000000671312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\BinProductVersion2.31.1.1 13241300x8000000000000000671311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\Publisherthe git development community 13241300x8000000000000000671309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch.exe 13241300x8000000000000000671308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\BinProductVersion2.31.1.1 13241300x8000000000000000671307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\Publisherthe git development community 13241300x8000000000000000671305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch-pack.exe 13241300x8000000000000000671304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\BinProductVersion2.31.1.1 13241300x8000000000000000671303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\Publisherthe git development community 13241300x8000000000000000671301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-import.exe 13241300x8000000000000000671300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\BinProductVersion2.31.1.1 13241300x8000000000000000671299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\Publisherthe git development community 13241300x8000000000000000671297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-export.exe 13241300x8000000000000000671296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\BinProductVersion2.31.1.1 13241300x8000000000000000671295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\Publisherthe git development community 13241300x8000000000000000671293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-env--helper.exe 13241300x8000000000000000671292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\BinProductVersion2.31.1.1 13241300x8000000000000000671291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\Publisherthe git development community 13241300x8000000000000000671289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-difftool.exe 13241300x8000000000000000671288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\BinProductVersion2.31.1.1 13241300x8000000000000000671287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\Publisherthe git development community 13241300x8000000000000000671285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff.exe 13241300x8000000000000000671284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\BinProductVersion2.31.1.1 13241300x8000000000000000671283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\Publisherthe git development community 13241300x8000000000000000671281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-tree.exe 13241300x8000000000000000671280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\BinProductVersion2.31.1.1 13241300x8000000000000000671279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\Publisherthe git development community 13241300x8000000000000000671277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-index.exe 13241300x8000000000000000671276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\BinProductVersion2.31.1.1 13241300x8000000000000000671275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\Publisherthe git development community 13241300x8000000000000000671273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-files.exe 13241300x8000000000000000671272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\BinProductVersion2.31.1.1 13241300x8000000000000000671271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\Publisherthe git development community 13241300x8000000000000000671269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-describe.exe 13241300x8000000000000000671268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\BinProductVersion2.31.1.1 13241300x8000000000000000671267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LinkDate03/27/2021 09:56:24 13241300x8000000000000000671266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\Publisherthe git development community 13241300x8000000000000000671265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-daemon.exe 13241300x8000000000000000671264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\BinProductVersion2.31.1.1 13241300x8000000000000000671263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\Publisherthe git development community 13241300x8000000000000000671261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential.exe 13241300x8000000000000000671260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\BinProductVersion(Empty) 13241300x8000000000000000671259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LinkDate03/27/2021 09:48:42 13241300x8000000000000000671258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\Publisher(Empty) 13241300x8000000000000000671257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-wincred.exe 13241300x8000000000000000671256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\BinProductVersion2.31.1.1 13241300x8000000000000000671255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\Publisherthe git development community 13241300x8000000000000000671253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-store.exe 13241300x8000000000000000671252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\BinProductVersion1.20.0.0 13241300x8000000000000000671251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\LinkDate09/05/2019 15:02:13 13241300x8000000000000000671250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\Publishermicrosoft corporation 13241300x8000000000000000671249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-manager.exe 13241300x8000000000000000671248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\BinProductVersion2.0.394.0 13241300x8000000000000000671247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\LinkDate11/18/2091 14:46:43 13241300x8000000000000000671246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\Publishergit-credential-manager-core 13241300x8000000000000000671245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-manager-core.exe 13241300x8000000000000000671244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\BinProductVersion(Empty) 13241300x8000000000000000671243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\Publisher(Empty) 13241300x8000000000000000671241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LowerCaseLongPathc:\program files\git\mingw64\bin\git-credential-helper-selector.exe 13241300x8000000000000000671240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\BinProductVersion2.31.1.1 13241300x8000000000000000671239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\Publisherthe git development community 13241300x8000000000000000671237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache.exe 13241300x8000000000000000671236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\BinProductVersion2.31.1.1 13241300x8000000000000000671235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\Publisherthe git development community 13241300x8000000000000000671233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache--daemon.exe 13241300x8000000000000000671232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\BinProductVersion2.31.1.1 13241300x8000000000000000671231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\Publisherthe git development community 13241300x8000000000000000671229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-count-objects.exe 13241300x8000000000000000671228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\BinProductVersion2.31.1.1 13241300x8000000000000000671227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\Publisherthe git development community 13241300x8000000000000000671225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-config.exe 13241300x8000000000000000671224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\BinProductVersion2.31.1.1 13241300x8000000000000000671223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\Publisherthe git development community 13241300x8000000000000000671221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit.exe 13241300x8000000000000000671220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\BinProductVersion2.31.1.1 13241300x8000000000000000671219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\Publisherthe git development community 13241300x8000000000000000671217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-tree.exe 13241300x8000000000000000671216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\BinProductVersion2.31.1.1 13241300x8000000000000000671215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\Publisherthe git development community 13241300x8000000000000000671213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-graph.exe 13241300x8000000000000000671212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\BinProductVersion2.31.1.1 13241300x8000000000000000671211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\Publisherthe git development community 13241300x8000000000000000671209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-column.exe 13241300x8000000000000000671208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\BinProductVersion2.31.1.1 13241300x8000000000000000671207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LinkDate03/27/2021 09:48:40 13241300x8000000000000000671206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\Publisherthe git development community 13241300x8000000000000000671205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LowerCaseLongPathc:\program files\git\git-cmd.exe 13241300x8000000000000000671204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\BinProductVersion2.31.1.1 13241300x8000000000000000671203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\Publisherthe git development community 13241300x8000000000000000671201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clone.exe 13241300x8000000000000000671200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\BinProductVersion2.31.1.1 13241300x8000000000000000671199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\Publisherthe git development community 13241300x8000000000000000671197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clean.exe 13241300x8000000000000000671196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\BinProductVersion2.31.1.1 13241300x8000000000000000671195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\Publisherthe git development community 13241300x8000000000000000671193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry.exe 13241300x8000000000000000671192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\BinProductVersion2.31.1.1 13241300x8000000000000000671191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\Publisherthe git development community 13241300x8000000000000000671189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry-pick.exe 13241300x8000000000000000671188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\BinProductVersion2.31.1.1 13241300x8000000000000000671187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\Publisherthe git development community 13241300x8000000000000000671185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout.exe 13241300x8000000000000000671184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\BinProductVersion2.31.1.1 13241300x8000000000000000671183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\Publisherthe git development community 13241300x8000000000000000671181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.952{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout-index.exe 13241300x8000000000000000671180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\BinProductVersion2.31.1.1 13241300x8000000000000000671179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\Publisherthe git development community 13241300x8000000000000000671177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ref-format.exe 13241300x8000000000000000671176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\BinProductVersion2.31.1.1 13241300x8000000000000000671175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\Publisherthe git development community 13241300x8000000000000000671173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-mailmap.exe 13241300x8000000000000000671172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\BinProductVersion2.31.1.1 13241300x8000000000000000671171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\Publisherthe git development community 13241300x8000000000000000671169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ignore.exe 13241300x8000000000000000671168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\BinProductVersion2.31.1.1 13241300x8000000000000000671167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\Publisherthe git development community 13241300x8000000000000000671165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-attr.exe 13241300x8000000000000000671164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\BinProductVersion2.31.1.1 13241300x8000000000000000671163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\Publisherthe git development community 13241300x8000000000000000671161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cat-file.exe 13241300x8000000000000000671160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\BinProductVersion2.31.1.1 13241300x8000000000000000671159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\Publisherthe git development community 13241300x8000000000000000671157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bundle.exe 13241300x8000000000000000671156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\BinProductVersion2.31.1.1 13241300x8000000000000000671155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\Publisherthe git development community 13241300x8000000000000000671153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bugreport.exe 13241300x8000000000000000671152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\BinProductVersion2.31.1.1 13241300x8000000000000000671151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\Publisherthe git development community 13241300x8000000000000000671149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-branch.exe 13241300x8000000000000000671148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\BinProductVersion2.31.1.1 13241300x8000000000000000671147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\Publisherthe git development community 13241300x8000000000000000671145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-blame.exe 13241300x8000000000000000671144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\BinProductVersion2.31.1.1 13241300x8000000000000000671143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\Publisherthe git development community 13241300x8000000000000000671141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bisect--helper.exe 13241300x8000000000000000671140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\BinProductVersion2.31.1.1 13241300x8000000000000000671139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LinkDate03/27/2021 09:48:40 13241300x8000000000000000671138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\Publisherthe git development community 13241300x8000000000000000671137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LowerCaseLongPathc:\program files\git\git-bash.exe 13241300x8000000000000000671136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\BinProductVersion(Empty) 13241300x8000000000000000671135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\Publisher(Empty) 13241300x8000000000000000671133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-askyesno.exe 13241300x8000000000000000671132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\BinProductVersion1.20.0.0 13241300x8000000000000000671131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\LinkDate09/06/2019 12:59:42 13241300x8000000000000000671130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\Publishermicrosoft corporation 13241300x8000000000000000671129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-askpass.exe 13241300x8000000000000000671128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\BinProductVersion2.31.1.1 13241300x8000000000000000671127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\Publisherthe git development community 13241300x8000000000000000671125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-archive.exe 13241300x8000000000000000671124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\BinProductVersion2.31.1.1 13241300x8000000000000000671123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\Publisherthe git development community 13241300x8000000000000000671121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-apply.exe 13241300x8000000000000000671120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\BinProductVersion2.31.1.1 13241300x8000000000000000671119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\Publisherthe git development community 13241300x8000000000000000671117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-annotate.exe 13241300x8000000000000000671116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\BinProductVersion2.31.1.1 13241300x8000000000000000671115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\Publisherthe git development community 13241300x8000000000000000671113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-am.exe 13241300x8000000000000000671112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\BinProductVersion2.31.1.1 13241300x8000000000000000671111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\Publisherthe git development community 13241300x8000000000000000671109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-add.exe 13241300x8000000000000000671108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\BinProductVersion(Empty) 13241300x8000000000000000671107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\Publisher(Empty) 13241300x8000000000000000671105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\LowerCaseLongPathc:\program files\git\usr\bin\gio-querymodules.exe 13241300x8000000000000000671104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\BinProductVersion0.19.8.0 13241300x8000000000000000671103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LinkDate01/01/1970 04:44:00 13241300x8000000000000000671102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\Publisherfree software foundation 13241300x8000000000000000671101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LowerCaseLongPathc:\program files\git\usr\bin\gettext.exe 13241300x8000000000000000671100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\BinProductVersion0.19.8.0 13241300x8000000000000000671099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\Publisherfree software foundation 13241300x8000000000000000671097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LowerCaseLongPathc:\program files\git\mingw64\bin\gettext.exe 13241300x8000000000000000671096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\BinProductVersion(Empty) 13241300x8000000000000000671095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LinkDate03/26/2021 22:24:41 13241300x8000000000000000671094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\Publisher(Empty) 13241300x8000000000000000671093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr64.exe 13241300x8000000000000000671092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\BinProductVersion(Empty) 13241300x8000000000000000671091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LinkDate03/26/2021 22:24:41 13241300x8000000000000000671090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\Publisher(Empty) 13241300x8000000000000000671089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr32.exe 13241300x8000000000000000671088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\BinProductVersion(Empty) 13241300x8000000000000000671087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\Publisher(Empty) 13241300x8000000000000000671085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LowerCaseLongPathc:\program files\git\usr\bin\getopt.exe 13241300x8000000000000000671084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\BinProductVersion(Empty) 13241300x8000000000000000671083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\Publisher(Empty) 13241300x8000000000000000671081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LowerCaseLongPathc:\program files\git\usr\bin\getfacl.exe 13241300x8000000000000000671080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\BinProductVersion(Empty) 13241300x8000000000000000671079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\Publisher(Empty) 13241300x8000000000000000671077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LowerCaseLongPathc:\program files\git\usr\bin\getconf.exe 13241300x8000000000000000671076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\BinProductVersion(Empty) 13241300x8000000000000000671075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\Publisher(Empty) 13241300x8000000000000000671073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LowerCaseLongPathc:\program files\git\usr\bin\gencat.exe 13241300x8000000000000000671072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\BinProductVersion(Empty) 13241300x8000000000000000671071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\Publisher(Empty) 13241300x8000000000000000671069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\LowerCaseLongPathc:\program files\git\usr\bin\gdbus.exe 13241300x8000000000000000671068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\BinProductVersion(Empty) 13241300x8000000000000000671067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\Publisher(Empty) 13241300x8000000000000000671065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LowerCaseLongPathc:\program files\git\usr\bin\gawk.exe 13241300x8000000000000000671064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\BinProductVersion(Empty) 13241300x8000000000000000671063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\Publisher(Empty) 13241300x8000000000000000671061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LowerCaseLongPathc:\program files\git\usr\bin\gawk-5.0.0.exe 13241300x8000000000000000671060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\BinProductVersion(Empty) 13241300x8000000000000000671059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\Publisher(Empty) 13241300x8000000000000000671057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\LowerCaseLongPathc:\program files\git\usr\bin\gapplication.exe 13241300x8000000000000000671056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\BinProductVersion(Empty) 13241300x8000000000000000671055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LinkDate05/08/2031 18:06:26 13241300x8000000000000000671054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\Publisher(Empty) 13241300x8000000000000000671053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LowerCaseLongPathc:\program files\git\usr\bin\funzip.exe 13241300x8000000000000000671052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\BinProductVersion(Empty) 13241300x8000000000000000671051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\Publisher(Empty) 13241300x8000000000000000671049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LowerCaseLongPathc:\program files\git\usr\libexec\frcode.exe 13241300x8000000000000000671048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\BinProductVersion(Empty) 13241300x8000000000000000671047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\Publisher(Empty) 13241300x8000000000000000671045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LowerCaseLongPathc:\program files\git\usr\bin\fold.exe 13241300x8000000000000000671044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\BinProductVersion(Empty) 13241300x8000000000000000671043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\Publisher(Empty) 13241300x8000000000000000671041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LowerCaseLongPathc:\program files\git\usr\bin\fmt.exe 13241300x8000000000000000671040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\BinProductVersion(Empty) 13241300x8000000000000000671039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\Publisher(Empty) 13241300x8000000000000000671037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LowerCaseLongPathc:\program files\git\usr\bin\find.exe 13241300x8000000000000000671036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\BinProductVersion(Empty) 13241300x8000000000000000671035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\Publisher(Empty) 13241300x8000000000000000671033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LowerCaseLongPathc:\program files\git\usr\bin\file.exe 13241300x8000000000000000671032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\BinProductVersion(Empty) 13241300x8000000000000000671031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\Publisher(Empty) 13241300x8000000000000000671029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\LowerCaseLongPathc:\program files\git\usr\bin\fido2-token.exe 13241300x8000000000000000671028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\BinProductVersion(Empty) 13241300x8000000000000000671027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\Publisher(Empty) 13241300x8000000000000000671025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\LowerCaseLongPathc:\program files\git\usr\bin\fido2-cred.exe 13241300x8000000000000000671024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\BinProductVersion(Empty) 13241300x8000000000000000671023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\Publisher(Empty) 13241300x8000000000000000671021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\LowerCaseLongPathc:\program files\git\usr\bin\fido2-assert.exe 13241300x8000000000000000671020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\BinProductVersion(Empty) 13241300x8000000000000000671019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\Publisher(Empty) 13241300x8000000000000000671017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LowerCaseLongPathc:\program files\git\usr\bin\false.exe 13241300x8000000000000000671016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\BinProductVersion(Empty) 13241300x8000000000000000671015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\Publisher(Empty) 13241300x8000000000000000671013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LowerCaseLongPathc:\program files\git\usr\bin\factor.exe 13241300x8000000000000000671012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\BinProductVersion(Empty) 13241300x8000000000000000671011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\Publisher(Empty) 13241300x8000000000000000671009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LowerCaseLongPathc:\program files\git\usr\bin\expr.exe 13241300x8000000000000000671008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\BinProductVersion(Empty) 13241300x8000000000000000671007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\Publisher(Empty) 13241300x8000000000000000671005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LowerCaseLongPathc:\program files\git\usr\bin\expand.exe 13241300x8000000000000000671004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\BinProductVersion(Empty) 13241300x8000000000000000671003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\Publisher(Empty) 13241300x8000000000000000671001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LowerCaseLongPathc:\program files\git\usr\bin\ex.exe 354300x8000000000000000671000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.685{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58398- 354300x8000000000000000670999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.655{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65505- 13241300x8000000000000000670998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\BinProductVersion0.19.8.0 354300x8000000000000000670997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:14.655{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58398- 13241300x8000000000000000670996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\Publisherfree software foundation 13241300x8000000000000000670994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LowerCaseLongPathc:\program files\git\mingw64\bin\envsubst.exe 13241300x8000000000000000670993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\BinProductVersion0.19.8.0 13241300x8000000000000000670992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LinkDate12/01/2031 01:05:42 13241300x8000000000000000670991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\Publisherfree software foundation 13241300x8000000000000000670990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LowerCaseLongPathc:\program files\git\usr\bin\envsubst.exe 13241300x8000000000000000670989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\BinProductVersion(Empty) 13241300x8000000000000000670988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\Publisher(Empty) 13241300x8000000000000000670986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LowerCaseLongPathc:\program files\git\usr\bin\env.exe 13241300x8000000000000000670985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\BinProductVersion(Empty) 13241300x8000000000000000670984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\Publisher(Empty) 13241300x8000000000000000670982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.936{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test_dll.exe 13241300x8000000000000000670981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\BinProductVersion(Empty) 13241300x8000000000000000670980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\Publisher(Empty) 13241300x8000000000000000670978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test.exe 13241300x8000000000000000670977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\BinProductVersion(Empty) 13241300x8000000000000000670976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LinkDate03/27/2021 09:48:39 13241300x8000000000000000670975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\Publisher(Empty) 13241300x8000000000000000670974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LowerCaseLongPathc:\program files\git\mingw64\share\git\edit-git-bash.exe 13241300x8000000000000000670973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\echo.exe|263446599120623a\BinProductVersion(Empty) 13241300x8000000000000000670972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\echo.exe|263446599120623a\Publisher(Empty) 13241300x8000000000000000670970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LowerCaseLongPathc:\program files\git\usr\bin\echo.exe 13241300x8000000000000000670969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\BinProductVersion(Empty) 13241300x8000000000000000670968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\Publisher(Empty) 13241300x8000000000000000670966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LowerCaseLongPathc:\program files\git\usr\bin\dumpsexp.exe 13241300x8000000000000000670965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\BinProductVersion(Empty) 13241300x8000000000000000670964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\Publisher(Empty) 13241300x8000000000000000670962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LowerCaseLongPathc:\program files\git\usr\bin\du.exe 13241300x8000000000000000670961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\BinProductVersion(Empty) 13241300x8000000000000000670960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\Publisher(Empty) 13241300x8000000000000000670958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LowerCaseLongPathc:\program files\git\usr\bin\dos2unix.exe 13241300x8000000000000000670957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\BinProductVersion(Empty) 13241300x8000000000000000670956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\Publisher(Empty) 13241300x8000000000000000670954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LowerCaseLongPathc:\program files\git\usr\bin\dirname.exe 13241300x8000000000000000670953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\BinProductVersion(Empty) 13241300x8000000000000000670952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\Publisher(Empty) 13241300x8000000000000000670950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr.exe 13241300x8000000000000000670949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\BinProductVersion(Empty) 13241300x8000000000000000670948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\Publisher(Empty) 13241300x8000000000000000670946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr-client.exe 13241300x8000000000000000670945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\BinProductVersion(Empty) 13241300x8000000000000000670944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\Publisher(Empty) 13241300x8000000000000000670942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LowerCaseLongPathc:\program files\git\usr\bin\dircolors.exe 13241300x8000000000000000670941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\BinProductVersion(Empty) 13241300x8000000000000000670940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\Publisher(Empty) 13241300x8000000000000000670938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LowerCaseLongPathc:\program files\git\usr\bin\dir.exe 13241300x8000000000000000670937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\BinProductVersion(Empty) 13241300x8000000000000000670936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\Publisher(Empty) 13241300x8000000000000000670934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LowerCaseLongPathc:\program files\git\usr\bin\diff3.exe 13241300x8000000000000000670933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\BinProductVersion(Empty) 13241300x8000000000000000670932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\Publisher(Empty) 13241300x8000000000000000670930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LowerCaseLongPathc:\program files\git\usr\bin\diff.exe 13241300x8000000000000000670929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\BinProductVersion(Empty) 13241300x8000000000000000670928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\Publisher(Empty) 13241300x8000000000000000670926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LowerCaseLongPathc:\program files\git\usr\bin\df.exe 13241300x8000000000000000670925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\BinProductVersion(Empty) 13241300x8000000000000000670924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\Publisher(Empty) 13241300x8000000000000000670922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LowerCaseLongPathc:\program files\git\usr\bin\dd.exe 13241300x8000000000000000670921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\BinProductVersion(Empty) 13241300x8000000000000000670920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\Publisher(Empty) 13241300x8000000000000000670918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LowerCaseLongPathc:\program files\git\usr\bin\date.exe 13241300x8000000000000000670917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\BinProductVersion(Empty) 13241300x8000000000000000670916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\Publisher(Empty) 13241300x8000000000000000670914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LowerCaseLongPathc:\program files\git\usr\bin\dash.exe 13241300x8000000000000000670913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\BinProductVersion(Empty) 13241300x8000000000000000670912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\Publisher(Empty) 13241300x8000000000000000670910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LowerCaseLongPathc:\program files\git\usr\bin\d2u.exe 13241300x8000000000000000670909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\BinProductVersion(Empty) 13241300x8000000000000000670908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LinkDate03/26/2021 22:24:41 13241300x8000000000000000670907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\Publisher(Empty) 13241300x8000000000000000670906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LowerCaseLongPathc:\program files\git\usr\bin\cygwin-console-helper.exe 13241300x8000000000000000670905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\BinProductVersion(Empty) 13241300x8000000000000000670904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LinkDate03/26/2021 22:24:39 13241300x8000000000000000670903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\Publisher(Empty) 13241300x8000000000000000670902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LowerCaseLongPathc:\program files\git\usr\bin\cygpath.exe 13241300x8000000000000000670901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\BinProductVersion(Empty) 13241300x8000000000000000670900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LinkDate03/26/2021 22:24:41 13241300x8000000000000000670899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\Publisher(Empty) 13241300x8000000000000000670898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LowerCaseLongPathc:\program files\git\usr\bin\cygcheck.exe 13241300x8000000000000000670897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\BinProductVersion(Empty) 13241300x8000000000000000670896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\Publisher(Empty) 13241300x8000000000000000670894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LowerCaseLongPathc:\program files\git\usr\bin\cut.exe 13241300x8000000000000000670893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\BinProductVersion(Empty) 13241300x8000000000000000670892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LinkDate02/04/2021 08:40:35 13241300x8000000000000000670891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\Publisher(Empty) 13241300x8000000000000000670890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LowerCaseLongPathc:\program files\git\mingw64\bin\curl.exe 13241300x8000000000000000670889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\BinProductVersion(Empty) 13241300x8000000000000000670888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\Publisher(Empty) 13241300x8000000000000000670886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LowerCaseLongPathc:\program files\git\usr\bin\csplit.exe 13241300x8000000000000000670885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\BinProductVersion(Empty) 13241300x8000000000000000670884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\Publisher(Empty) 13241300x8000000000000000670882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LowerCaseLongPathc:\program files\git\mingw64\bin\create-shortcut.exe 13241300x8000000000000000670881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\BinProductVersion(Empty) 13241300x8000000000000000670880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\Publisher(Empty) 13241300x8000000000000000670878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LowerCaseLongPathc:\program files\git\usr\bin\cp.exe 13241300x8000000000000000670877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\BinProductVersion(Empty) 13241300x8000000000000000670876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\Publisher(Empty) 13241300x8000000000000000670874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LowerCaseLongPathc:\program files\git\mingw64\bin\connect.exe 13241300x8000000000000000670873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\BinProductVersion2.31.1.1 13241300x8000000000000000670872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LinkDate03/27/2021 09:48:40 13241300x8000000000000000670871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\Publisherthe git development community 13241300x8000000000000000670870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LowerCaseLongPathc:\program files\git\mingw64\share\git\compat-bash.exe 13241300x8000000000000000670869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\BinProductVersion(Empty) 13241300x8000000000000000670868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\Publisher(Empty) 13241300x8000000000000000670866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LowerCaseLongPathc:\program files\git\usr\bin\comm.exe 13241300x8000000000000000670865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\BinProductVersion(Empty) 13241300x8000000000000000670864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\Publisher(Empty) 13241300x8000000000000000670862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LowerCaseLongPathc:\program files\git\usr\bin\column.exe 13241300x8000000000000000670861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\BinProductVersion(Empty) 13241300x8000000000000000670860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\Publisher(Empty) 13241300x8000000000000000670858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LowerCaseLongPathc:\program files\git\usr\bin\cmp.exe 13241300x8000000000000000670857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\BinProductVersion(Empty) 13241300x8000000000000000670856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\Publisher(Empty) 13241300x8000000000000000670854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LowerCaseLongPathc:\program files\git\usr\bin\clear.exe 13241300x8000000000000000670853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\BinProductVersion(Empty) 13241300x8000000000000000670852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LinkDate10/26/1974 18:18:40 13241300x8000000000000000670851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\Publisher(Empty) 13241300x8000000000000000670850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LowerCaseLongPathc:\program files\git\usr\lib\gettext\cldr-plurals.exe 13241300x8000000000000000670849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\BinProductVersion(Empty) 13241300x8000000000000000670848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\Publisher(Empty) 13241300x8000000000000000670846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LowerCaseLongPathc:\program files\git\usr\bin\cksum.exe 13241300x8000000000000000670845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\BinProductVersion(Empty) 13241300x8000000000000000670844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\Publisher(Empty) 13241300x8000000000000000670842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LowerCaseLongPathc:\program files\git\usr\bin\chroot.exe 13241300x8000000000000000670841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\BinProductVersion(Empty) 13241300x8000000000000000670840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\Publisher(Empty) 13241300x8000000000000000670838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LowerCaseLongPathc:\program files\git\usr\bin\chown.exe 13241300x8000000000000000670837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\BinProductVersion(Empty) 13241300x8000000000000000670836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\Publisher(Empty) 13241300x8000000000000000670834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LowerCaseLongPathc:\program files\git\usr\bin\chmod.exe 13241300x8000000000000000670833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\BinProductVersion(Empty) 13241300x8000000000000000670832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\Publisher(Empty) 13241300x8000000000000000670830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LowerCaseLongPathc:\program files\git\usr\bin\chgrp.exe 13241300x8000000000000000670829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\BinProductVersion(Empty) 13241300x8000000000000000670828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\Publisher(Empty) 13241300x8000000000000000670826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LowerCaseLongPathc:\program files\git\usr\bin\chcon.exe 13241300x8000000000000000670825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\BinProductVersion(Empty) 13241300x8000000000000000670824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LinkDate03/26/2021 22:24:39 13241300x8000000000000000670823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\Publisher(Empty) 13241300x8000000000000000670822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LowerCaseLongPathc:\program files\git\usr\bin\chattr.exe 13241300x8000000000000000670821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\BinProductVersion(Empty) 13241300x8000000000000000670820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\Publisher(Empty) 13241300x8000000000000000670818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LowerCaseLongPathc:\program files\git\usr\bin\cat.exe 13241300x8000000000000000670817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\BinProductVersion(Empty) 13241300x8000000000000000670816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\Publisher(Empty) 13241300x8000000000000000670814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LowerCaseLongPathc:\program files\git\usr\bin\captoinfo.exe 13241300x8000000000000000670813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\BinProductVersion(Empty) 13241300x8000000000000000670812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\Publisher(Empty) 13241300x8000000000000000670810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2recover.exe 13241300x8000000000000000670809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\BinProductVersion(Empty) 13241300x8000000000000000670808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\Publisher(Empty) 13241300x8000000000000000670806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LowerCaseLongPathc:\program files\git\usr\bin\bzip2recover.exe 13241300x8000000000000000670805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\BinProductVersion(Empty) 13241300x8000000000000000670804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\Publisher(Empty) 13241300x8000000000000000670802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2.exe 13241300x8000000000000000670801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\BinProductVersion(Empty) 13241300x8000000000000000670800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\Publisher(Empty) 13241300x8000000000000000670798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LowerCaseLongPathc:\program files\git\usr\bin\bzip2.exe 354300x8000000000000000670797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.573{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local51907-false51.195.68.173ip173.ip-51-195-68.eu443https 13241300x8000000000000000670796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\BinProductVersion(Empty) 13241300x8000000000000000670795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LinkDate01/01/1970 00:00:00 354300x8000000000000000670794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:13.051{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local51906-false23.221.223.11a23-221-223-11.deploy.static.akamaitechnologies.com80http 13241300x8000000000000000670793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\Publisher(Empty) 13241300x8000000000000000670792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LowerCaseLongPathc:\program files\git\usr\bin\bzcat.exe 13241300x8000000000000000670791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\BinProductVersion(Empty) 13241300x8000000000000000670790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\Publisher(Empty) 13241300x8000000000000000670788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LowerCaseLongPathc:\program files\git\mingw64\bin\bzcat.exe 13241300x8000000000000000670787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\BinProductVersion(Empty) 354300x8000000000000000614012Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:17.078{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50969-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614011Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:19.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA72DAA1E89DEE826521F52372371C49,SHA256=7E1274B107E292B7C9E1C8ADA46BCC2B60A77EE4C469685AAFDF73621A8A65A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614010Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:19.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B170BAE112ECCE83EFF5028CE25C8D8C,SHA256=F123B1EF899E9DB68125D42C061FC68FF197EBED480159C6F770D6E9407BAFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614009Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:19.122{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BB34D70ABBBDB2C3C755C370324026,SHA256=8466821FE5AFEF2B45D788693C3E4BE64B0BCB1125D789D5AB521EC2C9313602,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000670786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.920{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LinkDate01/01/1970 00:00:00 13241300x8000000000000000670785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\Publisher(Empty) 13241300x8000000000000000670784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LowerCaseLongPathc:\program files\git\mingw64\bin\bunzip2.exe 13241300x8000000000000000670783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\BinProductVersion(Empty) 13241300x8000000000000000670782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.905{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\BinProductVersion(Empty) 13241300x8000000000000000672468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\Publisher(Empty) 13241300x8000000000000000672466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LowerCaseLongPathc:\program files\git\usr\bin\tail.exe 13241300x8000000000000000672465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\BinProductVersion(Empty) 13241300x8000000000000000672464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\Publisher(Empty) 13241300x8000000000000000672462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LowerCaseLongPathc:\program files\git\usr\bin\tac.exe 13241300x8000000000000000672461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\BinProductVersion(Empty) 13241300x8000000000000000672460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\Publisher(Empty) 13241300x8000000000000000672458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LowerCaseLongPathc:\program files\git\usr\bin\tabs.exe 13241300x8000000000000000672457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\BinProductVersion(Empty) 13241300x8000000000000000672456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\Publisher(Empty) 13241300x8000000000000000672454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LowerCaseLongPathc:\program files\git\usr\bin\sync.exe 13241300x8000000000000000672453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\BinProductVersion(Empty) 13241300x8000000000000000672452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\Publisher(Empty) 13241300x8000000000000000672450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LowerCaseLongPathc:\program files\git\usr\bin\sum.exe 13241300x8000000000000000672449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\BinProductVersion(Empty) 13241300x8000000000000000672448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\Publisher(Empty) 13241300x8000000000000000672446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LowerCaseLongPathc:\program files\git\usr\bin\stty.exe 13241300x8000000000000000672445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\BinProductVersion(Empty) 13241300x8000000000000000672444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LinkDate03/26/2021 22:24:41 13241300x8000000000000000672443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\Publisher(Empty) 13241300x8000000000000000672442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LowerCaseLongPathc:\program files\git\usr\bin\strace.exe 13241300x8000000000000000672441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\BinProductVersion(Empty) 13241300x8000000000000000672440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\Publisher(Empty) 13241300x8000000000000000672438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LowerCaseLongPathc:\program files\git\usr\bin\stat.exe 13241300x8000000000000000672437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\BinProductVersion(Empty) 13241300x8000000000000000672436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LinkDate03/26/2021 22:24:41 13241300x8000000000000000672435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\Publisher(Empty) 13241300x8000000000000000672434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LowerCaseLongPathc:\program files\git\usr\bin\ssp.exe 13241300x8000000000000000672433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\BinProductVersion(Empty) 13241300x8000000000000000672432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\Publisher(Empty) 13241300x8000000000000000672430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LowerCaseLongPathc:\program files\git\usr\bin\sshd.exe 13241300x8000000000000000672429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\BinProductVersion(Empty) 13241300x8000000000000000672428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\Publisher(Empty) 13241300x8000000000000000672426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LowerCaseLongPathc:\program files\git\usr\bin\ssh.exe 13241300x8000000000000000672425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\BinProductVersion(Empty) 13241300x8000000000000000672424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\Publisher(Empty) 13241300x8000000000000000672422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-sk-helper.exe 13241300x8000000000000000672421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\BinProductVersion(Empty) 13241300x8000000000000000672420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\Publisher(Empty) 13241300x8000000000000000672418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-pkcs11-helper.exe 13241300x8000000000000000672417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\BinProductVersion(Empty) 13241300x8000000000000000672416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\Publisher(Empty) 13241300x8000000000000000672414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LowerCaseLongPathc:\program files\git\usr\bin\ssh-pageant.exe 13241300x8000000000000000672413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\BinProductVersion(Empty) 13241300x8000000000000000672412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\Publisher(Empty) 13241300x8000000000000000672410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-keysign.exe 13241300x8000000000000000672409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\BinProductVersion(Empty) 13241300x8000000000000000672408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\Publisher(Empty) 13241300x8000000000000000672406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keyscan.exe 13241300x8000000000000000672405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\BinProductVersion(Empty) 13241300x8000000000000000672404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\Publisher(Empty) 13241300x8000000000000000672402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keygen.exe 13241300x8000000000000000672401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\BinProductVersion(Empty) 13241300x8000000000000000672400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\Publisher(Empty) 13241300x8000000000000000672398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-agent.exe 13241300x8000000000000000672397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\BinProductVersion(Empty) 13241300x8000000000000000672396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\Publisher(Empty) 13241300x8000000000000000672394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LowerCaseLongPathc:\program files\git\usr\bin\ssh-add.exe 13241300x8000000000000000672393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\BinProductVersion(Empty) 13241300x8000000000000000672392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\Publisher(Empty) 13241300x8000000000000000672390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LowerCaseLongPathc:\program files\git\usr\bin\split.exe 13241300x8000000000000000672389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\BinProductVersion(Empty) 13241300x8000000000000000672388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\Publisher(Empty) 13241300x8000000000000000672386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LowerCaseLongPathc:\program files\git\usr\bin\sort.exe 13241300x8000000000000000672385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\BinProductVersion(Empty) 13241300x8000000000000000672384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\Publisher(Empty) 13241300x8000000000000000672382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LowerCaseLongPathc:\program files\git\usr\bin\sleep.exe 13241300x8000000000000000672381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\BinProductVersion(Empty) 13241300x8000000000000000672380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\Publisher(Empty) 13241300x8000000000000000672378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LowerCaseLongPathc:\program files\git\usr\bin\shuf.exe 13241300x8000000000000000672377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\BinProductVersion(Empty) 13241300x8000000000000000672376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\Publisher(Empty) 13241300x8000000000000000672374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LowerCaseLongPathc:\program files\git\usr\bin\shred.exe 13241300x8000000000000000672373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\BinProductVersion(Empty) 13241300x8000000000000000672372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\Publisher(Empty) 13241300x8000000000000000672370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LowerCaseLongPathc:\program files\git\usr\bin\sha512sum.exe 13241300x8000000000000000672369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\BinProductVersion(Empty) 13241300x8000000000000000672368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\Publisher(Empty) 13241300x8000000000000000672366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LowerCaseLongPathc:\program files\git\usr\bin\sha384sum.exe 13241300x8000000000000000672365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\BinProductVersion(Empty) 13241300x8000000000000000672364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\Publisher(Empty) 13241300x8000000000000000672362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LowerCaseLongPathc:\program files\git\usr\bin\sha256sum.exe 13241300x8000000000000000672361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\BinProductVersion(Empty) 13241300x8000000000000000672360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\Publisher(Empty) 13241300x8000000000000000672358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LowerCaseLongPathc:\program files\git\usr\bin\sha224sum.exe 13241300x8000000000000000672357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\BinProductVersion(Empty) 13241300x8000000000000000672356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\Publisher(Empty) 13241300x8000000000000000672354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LowerCaseLongPathc:\program files\git\usr\bin\sha1sum.exe 13241300x8000000000000000672353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\BinProductVersion2.31.1.1 13241300x8000000000000000672352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LinkDate03/27/2021 09:48:40 13241300x8000000000000000672351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\Publisherthe git development community 13241300x8000000000000000672350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LowerCaseLongPathc:\program files\git\bin\sh.exe 13241300x8000000000000000672349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\BinProductVersion(Empty) 13241300x8000000000000000672348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LinkDate12/04/2018 10:21:15 13241300x8000000000000000672347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\Publisher(Empty) 13241300x8000000000000000672346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LowerCaseLongPathc:\program files\git\usr\bin\sh.exe 13241300x8000000000000000672345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\BinProductVersion(Empty) 13241300x8000000000000000672344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\Publisher(Empty) 13241300x8000000000000000672342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LowerCaseLongPathc:\program files\git\usr\bin\sftp.exe 13241300x8000000000000000672341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\BinProductVersion(Empty) 13241300x8000000000000000672340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\Publisher(Empty) 13241300x8000000000000000672338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LowerCaseLongPathc:\program files\git\usr\lib\ssh\sftp-server.exe 13241300x8000000000000000672337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\BinProductVersion(Empty) 13241300x8000000000000000672336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\Publisher(Empty) 13241300x8000000000000000672334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LowerCaseLongPathc:\program files\git\mingw64\bin\sexp-conv.exe 13241300x8000000000000000672333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\BinProductVersion(Empty) 13241300x8000000000000000672332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\Publisher(Empty) 13241300x8000000000000000672330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LowerCaseLongPathc:\program files\git\usr\bin\sexp-conv.exe 13241300x8000000000000000672329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\BinProductVersion(Empty) 13241300x8000000000000000672328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\Publisher(Empty) 13241300x8000000000000000672326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LowerCaseLongPathc:\program files\git\usr\bin\setmetamode.exe 13241300x8000000000000000672325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\BinProductVersion(Empty) 13241300x8000000000000000672324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\Publisher(Empty) 13241300x8000000000000000672322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LowerCaseLongPathc:\program files\git\usr\bin\setfacl.exe 13241300x8000000000000000672321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\BinProductVersion(Empty) 13241300x8000000000000000672320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\Publisher(Empty) 13241300x8000000000000000672318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LowerCaseLongPathc:\program files\git\usr\bin\seq.exe 13241300x8000000000000000672317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\BinProductVersion(Empty) 13241300x8000000000000000672316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\Publisher(Empty) 13241300x8000000000000000672314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LowerCaseLongPathc:\program files\git\usr\bin\sed.exe 13241300x8000000000000000672313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\BinProductVersion(Empty) 13241300x8000000000000000672312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\Publisher(Empty) 13241300x8000000000000000672310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LowerCaseLongPathc:\program files\git\usr\bin\sdiff.exe 13241300x8000000000000000672309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\BinProductVersion(Empty) 13241300x8000000000000000672308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\Publisher(Empty) 13241300x8000000000000000672306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LowerCaseLongPathc:\program files\git\usr\bin\scp.exe 13241300x8000000000000000672305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\BinProductVersion(Empty) 13241300x8000000000000000672304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\Publisher(Empty) 13241300x8000000000000000672302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\scdaemon.exe 13241300x8000000000000000672301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\BinProductVersion(Empty) 13241300x8000000000000000672300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\Publisher(Empty) 13241300x8000000000000000672298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LowerCaseLongPathc:\program files\git\usr\bin\rvim.exe 13241300x8000000000000000672297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\BinProductVersion(Empty) 13241300x8000000000000000672296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\Publisher(Empty) 13241300x8000000000000000672294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LowerCaseLongPathc:\program files\git\usr\bin\rview.exe 13241300x8000000000000000672293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\BinProductVersion(Empty) 13241300x8000000000000000672292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\Publisher(Empty) 13241300x8000000000000000672290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LowerCaseLongPathc:\program files\git\usr\bin\runcon.exe 13241300x8000000000000000672289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\BinProductVersion(Empty) 13241300x8000000000000000672288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\Publisher(Empty) 13241300x8000000000000000672286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LowerCaseLongPathc:\program files\git\usr\bin\rnano.exe 13241300x8000000000000000672285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\BinProductVersion(Empty) 13241300x8000000000000000672284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\Publisher(Empty) 13241300x8000000000000000672282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LowerCaseLongPathc:\program files\git\usr\lib\tar\rmt.exe 13241300x8000000000000000672281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\BinProductVersion(Empty) 13241300x8000000000000000672280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\Publisher(Empty) 13241300x8000000000000000672278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LowerCaseLongPathc:\program files\git\usr\bin\rmdir.exe 13241300x8000000000000000672277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\BinProductVersion(Empty) 13241300x8000000000000000672276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\Publisher(Empty) 13241300x8000000000000000672274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LowerCaseLongPathc:\program files\git\usr\bin\rm.exe 13241300x8000000000000000672273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\BinProductVersion(Empty) 13241300x8000000000000000672272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\Publisher(Empty) 13241300x8000000000000000672270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LowerCaseLongPathc:\program files\git\usr\bin\reset.exe 13241300x8000000000000000672269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\BinProductVersion(Empty) 13241300x8000000000000000672268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\Publisher(Empty) 13241300x8000000000000000672266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LowerCaseLongPathc:\program files\git\usr\bin\regtool.exe 13241300x8000000000000000672265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\BinProductVersion(Empty) 13241300x8000000000000000672264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\Publisher(Empty) 13241300x8000000000000000672262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LowerCaseLongPathc:\program files\git\usr\bin\recode-sr-latin.exe 13241300x8000000000000000672261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\BinProductVersion(Empty) 13241300x8000000000000000672260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\Publisher(Empty) 13241300x8000000000000000672258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LowerCaseLongPathc:\program files\git\usr\bin\rebase.exe 13241300x8000000000000000672257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\BinProductVersion(Empty) 13241300x8000000000000000672256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\Publisher(Empty) 13241300x8000000000000000672254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LowerCaseLongPathc:\program files\git\usr\bin\realpath.exe 13241300x8000000000000000672253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\BinProductVersion(Empty) 13241300x8000000000000000672252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\Publisher(Empty) 13241300x8000000000000000672250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LowerCaseLongPathc:\program files\git\usr\bin\readlink.exe 13241300x8000000000000000672249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\BinProductVersion(Empty) 13241300x8000000000000000672248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\Publisher(Empty) 13241300x8000000000000000672246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LowerCaseLongPathc:\program files\git\usr\bin\pwd.exe 13241300x8000000000000000672245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\BinProductVersion(Empty) 13241300x8000000000000000672244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\Publisher(Empty) 13241300x8000000000000000672242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LowerCaseLongPathc:\program files\git\usr\lib\awk\pwcat.exe 13241300x8000000000000000672241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\BinProductVersion(Empty) 13241300x8000000000000000672240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\Publisher(Empty) 13241300x8000000000000000672238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LowerCaseLongPathc:\program files\git\usr\bin\ptx.exe 13241300x8000000000000000672237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\BinProductVersion(Empty) 13241300x8000000000000000672236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\Publisher(Empty) 13241300x8000000000000000672234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LowerCaseLongPathc:\program files\git\usr\bin\psl.exe 13241300x8000000000000000672233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\BinProductVersion(Empty) 13241300x8000000000000000672232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\Publisher(Empty) 13241300x8000000000000000672230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LowerCaseLongPathc:\program files\git\usr\bin\ps.exe 13241300x8000000000000000672229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\BinProductVersion(Empty) 13241300x8000000000000000672228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\Publisher(Empty) 13241300x8000000000000000672226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LowerCaseLongPathc:\program files\git\mingw64\bin\proxy-lookup.exe 13241300x8000000000000000672225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\BinProductVersion(Empty) 13241300x8000000000000000672224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\Publisher(Empty) 13241300x8000000000000000672222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LowerCaseLongPathc:\program files\git\usr\bin\printf.exe 13241300x8000000000000000672221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\BinProductVersion(Empty) 13241300x8000000000000000672220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\Publisher(Empty) 13241300x8000000000000000672218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LowerCaseLongPathc:\program files\git\usr\bin\printenv.exe 13241300x8000000000000000672217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\BinProductVersion(Empty) 13241300x8000000000000000672216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\Publisher(Empty) 13241300x8000000000000000672214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LowerCaseLongPathc:\program files\git\usr\bin\pr.exe 13241300x8000000000000000672213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\BinProductVersion(Empty) 13241300x8000000000000000672212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\Publisher(Empty) 13241300x8000000000000000672210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LowerCaseLongPathc:\program files\git\usr\bin\pluginviewer.exe 13241300x8000000000000000672209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\BinProductVersion(Empty) 13241300x8000000000000000672208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\Publisher(Empty) 13241300x8000000000000000672206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LowerCaseLongPathc:\program files\git\usr\bin\pldd.exe 13241300x8000000000000000672205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\BinProductVersion(Empty) 13241300x8000000000000000672204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\Publisher(Empty) 13241300x8000000000000000672202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LowerCaseLongPathc:\program files\git\mingw64\bin\pkcs1-conv.exe 13241300x8000000000000000672201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\BinProductVersion(Empty) 13241300x8000000000000000672200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\Publisher(Empty) 13241300x8000000000000000672198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LowerCaseLongPathc:\program files\git\usr\bin\pkcs1-conv.exe 13241300x8000000000000000672197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\BinProductVersion(Empty) 13241300x8000000000000000672196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\Publisher(Empty) 13241300x8000000000000000672194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LowerCaseLongPathc:\program files\git\usr\bin\pinky.exe 13241300x8000000000000000672193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\BinProductVersion(Empty) 13241300x8000000000000000672192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\Publisher(Empty) 13241300x8000000000000000672190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LowerCaseLongPathc:\program files\git\usr\bin\pinentry.exe 13241300x8000000000000000672189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\BinProductVersion(Empty) 13241300x8000000000000000672188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\Publisher(Empty) 13241300x8000000000000000672186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LowerCaseLongPathc:\program files\git\usr\bin\pinentry-w32.exe 13241300x8000000000000000672185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\BinProductVersion(Empty) 13241300x8000000000000000672184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\Publisher(Empty) 13241300x8000000000000000672182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\LowerCaseLongPathc:\program files\git\usr\bin\perl5.32.1.exe 13241300x8000000000000000672181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\BinProductVersion(Empty) 13241300x8000000000000000672180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\Publisher(Empty) 13241300x8000000000000000672178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LowerCaseLongPathc:\program files\git\usr\bin\perl.exe 13241300x8000000000000000672177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\BinProductVersion(Empty) 13241300x8000000000000000672176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\Publisher(Empty) 13241300x8000000000000000672174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LowerCaseLongPathc:\program files\git\mingw64\bin\pdftotext.exe 13241300x8000000000000000672173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\BinProductVersion(Empty) 13241300x8000000000000000672172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\Publisher(Empty) 13241300x8000000000000000672170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LowerCaseLongPathc:\program files\git\usr\bin\pathchk.exe 13241300x8000000000000000672169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\BinProductVersion(Empty) 13241300x8000000000000000672168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\Publisher(Empty) 13241300x8000000000000000672166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LowerCaseLongPathc:\program files\git\usr\bin\patch.exe 13241300x8000000000000000672165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\BinProductVersion(Empty) 13241300x8000000000000000672164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\Publisher(Empty) 13241300x8000000000000000672162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LowerCaseLongPathc:\program files\git\usr\bin\paste.exe 13241300x8000000000000000672161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\BinProductVersion(Empty) 13241300x8000000000000000672160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\Publisher(Empty) 13241300x8000000000000000672158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LowerCaseLongPathc:\program files\git\usr\bin\passwd.exe 13241300x8000000000000000672157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\BinProductVersion(Empty) 13241300x8000000000000000672156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\Publisher(Empty) 13241300x8000000000000000672154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LowerCaseLongPathc:\program files\git\usr\bin\p11-kit.exe 13241300x8000000000000000672153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\BinProductVersion(Empty) 13241300x8000000000000000672152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\Publisher(Empty) 13241300x8000000000000000672150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-server.exe 13241300x8000000000000000672149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\BinProductVersion(Empty) 13241300x8000000000000000672148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\Publisher(Empty) 13241300x8000000000000000672146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-remote.exe 13241300x8000000000000000672145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\BinProductVersion1.1.1.11 13241300x8000000000000000672144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LinkDate03/25/2021 15:20:47 13241300x8000000000000000672143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\Publisherthe openssl project, https://www.openssl.org/ 13241300x8000000000000000672142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LowerCaseLongPathc:\program files\git\mingw64\bin\openssl.exe 13241300x8000000000000000672141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\BinProductVersion1.1.1.11 13241300x8000000000000000672140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\Publisherthe openssl project, https://www.openssl.org/ 13241300x8000000000000000672138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LowerCaseLongPathc:\program files\git\usr\bin\openssl.exe 13241300x8000000000000000672137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\BinProductVersion(Empty) 13241300x8000000000000000672136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\Publisher(Empty) 13241300x8000000000000000672134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LowerCaseLongPathc:\program files\git\mingw64\bin\odt2txt.exe 13241300x8000000000000000672133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\BinProductVersion(Empty) 13241300x8000000000000000672132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\Publisher(Empty) 13241300x8000000000000000672130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LowerCaseLongPathc:\program files\git\usr\bin\od.exe 13241300x8000000000000000672129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\BinProductVersion(Empty) 13241300x8000000000000000672128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\Publisher(Empty) 13241300x8000000000000000672126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LowerCaseLongPathc:\program files\git\usr\bin\numfmt.exe 13241300x8000000000000000672125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\BinProductVersion(Empty) 13241300x8000000000000000672124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\Publisher(Empty) 13241300x8000000000000000672122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LowerCaseLongPathc:\program files\git\usr\bin\nproc.exe 13241300x8000000000000000672121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\BinProductVersion(Empty) 13241300x8000000000000000672120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.030{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\Publisher(Empty) 13241300x8000000000000000672118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LowerCaseLongPathc:\program files\git\usr\bin\nohup.exe 13241300x8000000000000000672117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\BinProductVersion(Empty) 13241300x8000000000000000672116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\Publisher(Empty) 13241300x8000000000000000672114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LowerCaseLongPathc:\program files\git\usr\bin\nl.exe 13241300x8000000000000000672113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\BinProductVersion(Empty) 13241300x8000000000000000672112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\Publisher(Empty) 13241300x8000000000000000672110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LowerCaseLongPathc:\program files\git\usr\bin\nice.exe 13241300x8000000000000000672109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\BinProductVersion0.19.8.0 13241300x8000000000000000672108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LinkDate01/01/1970 00:00:02 13241300x8000000000000000672107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\Publisherfree software foundation 13241300x8000000000000000672106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LowerCaseLongPathc:\program files\git\usr\bin\ngettext.exe 13241300x8000000000000000672105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\BinProductVersion(Empty) 13241300x8000000000000000672104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\Publisher(Empty) 13241300x8000000000000000672102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LowerCaseLongPathc:\program files\git\usr\bin\nettle-pbkdf2.exe 13241300x8000000000000000672101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\BinProductVersion(Empty) 13241300x8000000000000000672100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\Publisher(Empty) 13241300x8000000000000000672098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LowerCaseLongPathc:\program files\git\usr\bin\nettle-lfib-stream.exe 13241300x8000000000000000672097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\BinProductVersion(Empty) 13241300x8000000000000000672096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\Publisher(Empty) 13241300x8000000000000000672094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LowerCaseLongPathc:\program files\git\usr\bin\nettle-hash.exe 13241300x8000000000000000672093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\BinProductVersion(Empty) 13241300x8000000000000000672092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\Publisher(Empty) 13241300x8000000000000000672090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LowerCaseLongPathc:\program files\git\usr\bin\nano.exe 13241300x8000000000000000672089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\BinProductVersion(Empty) 13241300x8000000000000000672088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\Publisher(Empty) 13241300x8000000000000000672086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LowerCaseLongPathc:\program files\git\usr\bin\mv.exe 13241300x8000000000000000672085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\BinProductVersion(Empty) 13241300x8000000000000000672084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LinkDate01/01/1970 00:00:01 13241300x8000000000000000672083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\Publisher(Empty) 13241300x8000000000000000672082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LowerCaseLongPathc:\program files\git\usr\bin\msguniq.exe 13241300x8000000000000000672081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\BinProductVersion(Empty) 13241300x8000000000000000672080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\Publisher(Empty) 13241300x8000000000000000672078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LowerCaseLongPathc:\program files\git\usr\bin\msgunfmt.exe 13241300x8000000000000000672077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\BinProductVersion(Empty) 13241300x8000000000000000672076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\Publisher(Empty) 13241300x8000000000000000672074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LowerCaseLongPathc:\program files\git\usr\bin\msgmerge.exe 13241300x8000000000000000672073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\BinProductVersion(Empty) 13241300x8000000000000000672072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LinkDate01/18/2021 06:51:50 13241300x8000000000000000672071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\Publisher(Empty) 13241300x8000000000000000672070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LowerCaseLongPathc:\program files\git\usr\bin\msginit.exe 13241300x8000000000000000672069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\BinProductVersion(Empty) 13241300x8000000000000000672068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\Publisher(Empty) 13241300x8000000000000000672066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LowerCaseLongPathc:\program files\git\usr\bin\msggrep.exe 13241300x8000000000000000672065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\BinProductVersion(Empty) 13241300x8000000000000000672064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\Publisher(Empty) 13241300x8000000000000000672062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LowerCaseLongPathc:\program files\git\usr\bin\msgfmt.exe 13241300x8000000000000000672061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\BinProductVersion(Empty) 13241300x8000000000000000672060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\Publisher(Empty) 13241300x8000000000000000672058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LowerCaseLongPathc:\program files\git\usr\bin\msgfilter.exe 13241300x8000000000000000672057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\BinProductVersion(Empty) 13241300x8000000000000000672056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LinkDate01/01/1970 00:00:01 13241300x8000000000000000672055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\Publisher(Empty) 13241300x8000000000000000672054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LowerCaseLongPathc:\program files\git\usr\bin\msgexec.exe 13241300x8000000000000000672053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\BinProductVersion(Empty) 13241300x8000000000000000672052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\Publisher(Empty) 13241300x8000000000000000672050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LowerCaseLongPathc:\program files\git\usr\bin\msgen.exe 13241300x8000000000000000672049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\BinProductVersion(Empty) 13241300x8000000000000000672048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\Publisher(Empty) 13241300x8000000000000000672046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LowerCaseLongPathc:\program files\git\usr\bin\msgconv.exe 13241300x8000000000000000672045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\BinProductVersion(Empty) 13241300x8000000000000000672044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\Publisher(Empty) 13241300x8000000000000000672042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LowerCaseLongPathc:\program files\git\usr\bin\msgcomm.exe 13241300x8000000000000000672041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\BinProductVersion(Empty) 13241300x8000000000000000672040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LinkDate05/08/2031 18:06:26 13241300x8000000000000000672039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\Publisher(Empty) 13241300x8000000000000000672038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LowerCaseLongPathc:\program files\git\usr\bin\msgcmp.exe 13241300x8000000000000000672037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\BinProductVersion(Empty) 13241300x8000000000000000672036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LinkDate01/01/1970 00:00:01 13241300x8000000000000000672035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\Publisher(Empty) 13241300x8000000000000000672034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LowerCaseLongPathc:\program files\git\usr\bin\msgcat.exe 13241300x8000000000000000672033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\BinProductVersion(Empty) 13241300x8000000000000000672032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LinkDate01/01/1970 00:00:01 13241300x8000000000000000672031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\Publisher(Empty) 13241300x8000000000000000672030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LowerCaseLongPathc:\program files\git\usr\bin\msgattrib.exe 13241300x8000000000000000672029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\BinProductVersion(Empty) 13241300x8000000000000000672028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\Publisher(Empty) 13241300x8000000000000000672026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LowerCaseLongPathc:\program files\git\usr\bin\mpicalc.exe 13241300x8000000000000000672025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\BinProductVersion(Empty) 13241300x8000000000000000672024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\Publisher(Empty) 13241300x8000000000000000672022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LowerCaseLongPathc:\program files\git\usr\bin\mount.exe 13241300x8000000000000000672021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\BinProductVersion(Empty) 13241300x8000000000000000672020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\Publisher(Empty) 13241300x8000000000000000672018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LowerCaseLongPathc:\program files\git\usr\bin\mktemp.exe 13241300x8000000000000000672017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\BinProductVersion(Empty) 13241300x8000000000000000672016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\Publisher(Empty) 13241300x8000000000000000672014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LowerCaseLongPathc:\program files\git\usr\bin\mkpasswd.exe 13241300x8000000000000000672013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\BinProductVersion(Empty) 13241300x8000000000000000672012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\Publisher(Empty) 13241300x8000000000000000672010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LowerCaseLongPathc:\program files\git\usr\bin\mknod.exe 13241300x8000000000000000672009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\BinProductVersion(Empty) 13241300x8000000000000000672008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LinkDate03/26/2021 22:24:40 13241300x8000000000000000672007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\Publisher(Empty) 13241300x8000000000000000672006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LowerCaseLongPathc:\program files\git\usr\bin\mkgroup.exe 13241300x8000000000000000672005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\BinProductVersion(Empty) 13241300x8000000000000000672004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\Publisher(Empty) 13241300x8000000000000000672002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LowerCaseLongPathc:\program files\git\usr\bin\mkfifo.exe 13241300x8000000000000000672001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\BinProductVersion(Empty) 13241300x8000000000000000672000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\Publisher(Empty) 13241300x8000000000000000671998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LowerCaseLongPathc:\program files\git\usr\bin\mkdir.exe 13241300x8000000000000000671997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\BinProductVersion0.0.0.0 13241300x8000000000000000671996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\Publisherandy koppe / thomas wolff 13241300x8000000000000000671994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LowerCaseLongPathc:\program files\git\usr\bin\mintty.exe 13241300x8000000000000000671993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\BinProductVersion(Empty) 13241300x8000000000000000671992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LinkDate03/26/2021 22:24:40 13241300x8000000000000000671991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\Publisher(Empty) 13241300x8000000000000000671990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LowerCaseLongPathc:\program files\git\usr\bin\minidumper.exe 13241300x8000000000000000671989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\BinProductVersion(Empty) 13241300x8000000000000000671988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\Publisher(Empty) 13241300x8000000000000000671986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LowerCaseLongPathc:\program files\git\usr\bin\md5sum.exe 13241300x8000000000000000671985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\BinProductVersion(Empty) 13241300x8000000000000000671984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\Publisher(Empty) 13241300x8000000000000000671982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LowerCaseLongPathc:\program files\git\usr\bin\mac2unix.exe 13241300x8000000000000000671981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\BinProductVersion5.2.5.0 13241300x8000000000000000671980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000671978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmainfo.exe 13241300x8000000000000000671977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\BinProductVersion5.2.5.0 13241300x8000000000000000671976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000671974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmadec.exe 13241300x8000000000000000671973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\BinProductVersion(Empty) 13241300x8000000000000000671972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\Publisher(Empty) 13241300x8000000000000000671970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LowerCaseLongPathc:\program files\git\usr\bin\lsattr.exe 13241300x8000000000000000671969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\BinProductVersion(Empty) 13241300x8000000000000000671968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\Publisher(Empty) 13241300x8000000000000000671966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LowerCaseLongPathc:\program files\git\usr\bin\ls.exe 13241300x8000000000000000671965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\BinProductVersion(Empty) 13241300x8000000000000000671964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\Publisher(Empty) 13241300x8000000000000000671962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LowerCaseLongPathc:\program files\git\usr\bin\logname.exe 13241300x8000000000000000671961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\BinProductVersion(Empty) 13241300x8000000000000000671960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\Publisher(Empty) 13241300x8000000000000000671958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LowerCaseLongPathc:\program files\git\usr\bin\locate.exe 13241300x8000000000000000671957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\BinProductVersion(Empty) 13241300x8000000000000000671956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\Publisher(Empty) 13241300x8000000000000000671954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LowerCaseLongPathc:\program files\git\usr\bin\locale.exe 13241300x8000000000000000671953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\BinProductVersion(Empty) 13241300x8000000000000000671952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\Publisher(Empty) 13241300x8000000000000000671950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LowerCaseLongPathc:\program files\git\usr\bin\ln.exe 10341000x8000000000000000671949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:19.014{D419E45B-753F-60B6-2C00-00000000C401}30203084C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000671948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\BinProductVersion(Empty) 13241300x8000000000000000671947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\Publisher(Empty) 13241300x8000000000000000671945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LowerCaseLongPathc:\program files\git\usr\bin\link.exe 10341000x8000000000000000671944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:19.014{D419E45B-753F-60B6-2C00-00000000C401}30203084C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000671943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\BinProductVersion(Empty) 13241300x8000000000000000671942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\Publisher(Empty) 13241300x8000000000000000671940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LowerCaseLongPathc:\program files\git\usr\bin\lesskey.exe 13241300x8000000000000000671939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\BinProductVersion(Empty) 13241300x8000000000000000671938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\Publisher(Empty) 13241300x8000000000000000671936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LowerCaseLongPathc:\program files\git\usr\bin\lessecho.exe 10341000x8000000000000000671935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:19.014{D419E45B-753F-60B6-2C00-00000000C401}30203084C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000671934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\BinProductVersion(Empty) 13241300x8000000000000000671933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LinkDate01/01/1970 00:00:00 10341000x8000000000000000671932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:19.014{D419E45B-753F-60B6-2C00-00000000C401}30203084C:\Windows\sysmon64.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000671931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.014{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\Publisher(Empty) 13241300x8000000000000000671930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LowerCaseLongPathc:\program files\git\usr\bin\less.exe 13241300x8000000000000000671929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\BinProductVersion(Empty) 13241300x8000000000000000671928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LinkDate03/26/2021 22:24:41 13241300x8000000000000000671927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\Publisher(Empty) 13241300x8000000000000000671926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LowerCaseLongPathc:\program files\git\usr\bin\ldh.exe 13241300x8000000000000000671925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\BinProductVersion(Empty) 13241300x8000000000000000671924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\Publisher(Empty) 13241300x8000000000000000671922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LowerCaseLongPathc:\program files\git\usr\bin\ldd.exe 13241300x8000000000000000671921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\BinProductVersion(Empty) 13241300x8000000000000000671920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\Publisher(Empty) 13241300x8000000000000000671918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LowerCaseLongPathc:\program files\git\usr\bin\kill.exe 13241300x8000000000000000671917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\BinProductVersion(Empty) 13241300x8000000000000000671916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\Publisher(Empty) 13241300x8000000000000000671914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LowerCaseLongPathc:\program files\git\usr\bin\kbxutil.exe 13241300x8000000000000000671913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\BinProductVersion(Empty) 13241300x8000000000000000671912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\Publisher(Empty) 13241300x8000000000000000671910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LowerCaseLongPathc:\program files\git\usr\bin\join.exe 13241300x8000000000000000671909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\BinProductVersion(Empty) 13241300x8000000000000000671908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\Publisher(Empty) 13241300x8000000000000000671906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LowerCaseLongPathc:\program files\git\usr\bin\install.exe 13241300x8000000000000000671905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\BinProductVersion(Empty) 13241300x8000000000000000671904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\Publisher(Empty) 13241300x8000000000000000671902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LowerCaseLongPathc:\program files\git\usr\bin\infotocap.exe 13241300x8000000000000000671901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\BinProductVersion(Empty) 13241300x8000000000000000671900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\Publisher(Empty) 13241300x8000000000000000671898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LowerCaseLongPathc:\program files\git\usr\bin\infocmp.exe 13241300x8000000000000000671897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\BinProductVersion(Empty) 13241300x8000000000000000671896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\Publisher(Empty) 13241300x8000000000000000671894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LowerCaseLongPathc:\program files\git\usr\bin\id.exe 13241300x8000000000000000671893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\BinProductVersion(Empty) 13241300x8000000000000000671892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\Publisher(Empty) 13241300x8000000000000000671890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LowerCaseLongPathc:\program files\git\usr\bin\iconv.exe 13241300x8000000000000000671889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\BinProductVersion(Empty) 13241300x8000000000000000671888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\Publisher(Empty) 13241300x8000000000000000671886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LowerCaseLongPathc:\program files\git\usr\bin\hostname.exe 13241300x8000000000000000671885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\BinProductVersion(Empty) 13241300x8000000000000000671884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LinkDate06/19/2025 15:30:53 13241300x8000000000000000671883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\Publisher(Empty) 13241300x8000000000000000671882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LowerCaseLongPathc:\program files\git\usr\lib\gettext\hostname.exe 13241300x8000000000000000671881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\BinProductVersion(Empty) 13241300x8000000000000000671880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\Publisher(Empty) 13241300x8000000000000000671878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LowerCaseLongPathc:\program files\git\usr\bin\hostid.exe 13241300x8000000000000000671877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\BinProductVersion(Empty) 13241300x8000000000000000671876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\Publisher(Empty) 13241300x8000000000000000671874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LowerCaseLongPathc:\program files\git\usr\bin\hmac256.exe 13241300x8000000000000000671873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\BinProductVersion2.31.1.1 13241300x8000000000000000671872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LinkDate03/27/2021 09:56:19 13241300x8000000000000000671871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\Publisherthe git development community 13241300x8000000000000000671870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\headless-git.exe 13241300x8000000000000000671869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\BinProductVersion(Empty) 13241300x8000000000000000671868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\Publisher(Empty) 13241300x8000000000000000671866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LowerCaseLongPathc:\program files\git\usr\bin\head.exe 354300x8000000000000000671865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:15.701{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65505- 13241300x8000000000000000671864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\BinProductVersion(Empty) 13241300x8000000000000000671863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\Publisher(Empty) 13241300x8000000000000000671861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LowerCaseLongPathc:\program files\git\usr\bin\gzip.exe 13241300x8000000000000000671860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\BinProductVersion(Empty) 13241300x8000000000000000671859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\Publisher(Empty) 13241300x8000000000000000671857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\LowerCaseLongPathc:\program files\git\usr\bin\gsettings.exe 13241300x8000000000000000671856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\BinProductVersion(Empty) 13241300x8000000000000000671855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\Publisher(Empty) 13241300x8000000000000000671853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LowerCaseLongPathc:\program files\git\usr\bin\groups.exe 13241300x8000000000000000671852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\BinProductVersion(Empty) 13241300x8000000000000000671851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\Publisher(Empty) 13241300x8000000000000000671849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LowerCaseLongPathc:\program files\git\usr\bin\grep.exe 13241300x8000000000000000671848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\BinProductVersion(Empty) 13241300x8000000000000000671847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\Publisher(Empty) 13241300x8000000000000000671845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LowerCaseLongPathc:\program files\git\usr\lib\awk\grcat.exe 13241300x8000000000000000671844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\BinProductVersion(Empty) 13241300x8000000000000000671843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\Publisher(Empty) 13241300x8000000000000000671841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LowerCaseLongPathc:\program files\git\usr\bin\gpgv.exe 13241300x8000000000000000671840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\BinProductVersion(Empty) 13241300x8000000000000000671839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\Publisher(Empty) 13241300x8000000000000000671837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LowerCaseLongPathc:\program files\git\usr\bin\gpgtar.exe 13241300x8000000000000000671836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\BinProductVersion(Empty) 13241300x8000000000000000671835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\Publisher(Empty) 13241300x8000000000000000671833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LowerCaseLongPathc:\program files\git\usr\bin\gpgsplit.exe 13241300x8000000000000000671832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\BinProductVersion(Empty) 13241300x8000000000000000671831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\Publisher(Empty) 13241300x8000000000000000671829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LowerCaseLongPathc:\program files\git\usr\bin\gpgsm.exe 13241300x8000000000000000671828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\BinProductVersion(Empty) 13241300x8000000000000000671827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\Publisher(Empty) 13241300x8000000000000000671825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LowerCaseLongPathc:\program files\git\usr\bin\gpgscm.exe 13241300x8000000000000000671824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\BinProductVersion(Empty) 13241300x8000000000000000671823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\Publisher(Empty) 13241300x8000000000000000671821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LowerCaseLongPathc:\program files\git\usr\bin\gpgparsemail.exe 13241300x8000000000000000671820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\BinProductVersion(Empty) 13241300x8000000000000000671819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\Publisher(Empty) 13241300x8000000000000000671817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LowerCaseLongPathc:\program files\git\usr\bin\gpgconf.exe 13241300x8000000000000000671816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\BinProductVersion(Empty) 13241300x8000000000000000671815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\Publisher(Empty) 13241300x8000000000000000671813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LowerCaseLongPathc:\program files\git\usr\bin\gpg.exe 13241300x8000000000000000671812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\BinProductVersion(Empty) 13241300x8000000000000000671811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\Publisher(Empty) 13241300x8000000000000000671809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LowerCaseLongPathc:\program files\git\usr\bin\gpg-wks-server.exe 13241300x8000000000000000671808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\BinProductVersion(Empty) 13241300x8000000000000000671807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\Publisher(Empty) 13241300x8000000000000000671805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-wks-client.exe 13241300x8000000000000000671804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\BinProductVersion(Empty) 13241300x8000000000000000671803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\Publisher(Empty) 13241300x8000000000000000671801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-protect-tool.exe 13241300x8000000000000000671800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\BinProductVersion(Empty) 13241300x8000000000000000671799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\Publisher(Empty) 13241300x8000000000000000671797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-preset-passphrase.exe 13241300x8000000000000000671796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\BinProductVersion(Empty) 13241300x8000000000000000671795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\Publisher(Empty) 13241300x8000000000000000671793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LowerCaseLongPathc:\program files\git\usr\bin\gpg-error.exe 13241300x8000000000000000671792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\BinProductVersion(Empty) 13241300x8000000000000000671791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\Publisher(Empty) 13241300x8000000000000000671789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LowerCaseLongPathc:\program files\git\usr\bin\gpg-connect-agent.exe 13241300x8000000000000000671788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\BinProductVersion(Empty) 13241300x8000000000000000671787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\Publisher(Empty) 13241300x8000000000000000671785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-check-pattern.exe 13241300x8000000000000000671784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\BinProductVersion(Empty) 13241300x8000000000000000671783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\Publisher(Empty) 13241300x8000000000000000671781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LowerCaseLongPathc:\program files\git\usr\bin\gpg-agent.exe 13241300x8000000000000000671780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\BinProductVersion(Empty) 13241300x8000000000000000671779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\Publisher(Empty) 13241300x8000000000000000671777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\LowerCaseLongPathc:\program files\git\usr\bin\gobject-query.exe 13241300x8000000000000000671776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\BinProductVersion(Empty) 13241300x8000000000000000671775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\Publisher(Empty) 13241300x8000000000000000671773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\LowerCaseLongPathc:\program files\git\usr\bin\glib-compile-schemas.exe 13241300x8000000000000000671772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\BinProductVersion(Empty) 13241300x8000000000000000671771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\Publisher(Empty) 13241300x8000000000000000671769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LowerCaseLongPathc:\program files\git\usr\bin\gkill.exe 13241300x8000000000000000671768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\BinProductVersion2.31.1.1 13241300x8000000000000000671767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LinkDate03/27/2021 09:48:41 13241300x8000000000000000671766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\Publisherthe git development community 13241300x8000000000000000671765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LowerCaseLongPathc:\program files\git\cmd\gitk.exe 13241300x8000000000000000671764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\BinProductVersion2.0.394.0 13241300x8000000000000000671763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\LinkDate09/29/2055 20:33:00 13241300x8000000000000000671762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\Publishergithub.ui 13241300x8000000000000000671761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\github.ui.exe 13241300x8000000000000000671760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\BinProductVersion1.5.0.0 13241300x8000000000000000671759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\LinkDate09/05/2019 15:01:45 13241300x8000000000000000671758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\Publishergithub 13241300x8000000000000000671757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\github.authentication.exe 13241300x8000000000000000671756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\BinProductVersion2.31.1.1 13241300x8000000000000000671755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\Publisherthe git development community 13241300x8000000000000000671753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git.exe 13241300x8000000000000000671752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\BinProductVersion2.31.1.1 13241300x8000000000000000671751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LinkDate03/27/2021 09:48:40 13241300x8000000000000000671750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\Publisherthe git development community 13241300x8000000000000000671749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.999{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LowerCaseLongPathc:\program files\git\bin\git.exe 13241300x8000000000000000671748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\BinProductVersion2.31.1.1 13241300x8000000000000000671747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\Publisherthe git development community 13241300x8000000000000000671745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LowerCaseLongPathc:\program files\git\mingw64\bin\git.exe 13241300x8000000000000000671744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\BinProductVersion2.31.1.1 13241300x8000000000000000671743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LinkDate03/27/2021 09:48:40 13241300x8000000000000000671742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\Publisherthe git development community 13241300x8000000000000000671741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LowerCaseLongPathc:\program files\git\cmd\git.exe 13241300x8000000000000000671740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\BinProductVersion2.31.1.1 13241300x8000000000000000671739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\Publisherthe git development community 13241300x8000000000000000671737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-write-tree.exe 13241300x8000000000000000671736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\BinProductVersion2.31.1.1 13241300x8000000000000000671735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LinkDate03/27/2021 09:48:40 13241300x8000000000000000671734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\Publisherthe git development community 13241300x8000000000000000671733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LowerCaseLongPathc:\program files\git\mingw64\share\git\git-wrapper.exe 13241300x8000000000000000671732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\BinProductVersion2.31.1.1 13241300x8000000000000000671731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\Publisherthe git development community 13241300x8000000000000000671729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-worktree.exe 13241300x8000000000000000671728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\BinProductVersion2.31.1.1 13241300x8000000000000000671727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\Publisherthe git development community 13241300x8000000000000000671725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-whatchanged.exe 13241300x8000000000000000671724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\BinProductVersion2.31.1.1 13241300x8000000000000000671723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\Publisherthe git development community 13241300x8000000000000000671721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-tag.exe 13241300x8000000000000000671720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\BinProductVersion2.31.1.1 13241300x8000000000000000671719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\Publisherthe git development community 13241300x8000000000000000671717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-pack.exe 13241300x8000000000000000671716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\BinProductVersion2.31.1.1 13241300x8000000000000000671715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\Publisherthe git development community 13241300x8000000000000000671713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-commit.exe 13241300x8000000000000000671712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\BinProductVersion2.31.1.1 13241300x8000000000000000671711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\Publisherthe git development community 13241300x8000000000000000671709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-var.exe 13241300x8000000000000000671708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\BinProductVersion2.31.1.1 13241300x8000000000000000671707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\Publisherthe git development community 13241300x8000000000000000671705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-pack.exe 13241300x8000000000000000671704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\BinProductVersion2.31.1.1 13241300x8000000000000000671703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\Publisherthe git development community 13241300x8000000000000000671701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-pack.exe 13241300x8000000000000000671700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\BinProductVersion2.31.1.1 13241300x8000000000000000671699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\Publisherthe git development community 13241300x8000000000000000671697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-archive.exe 13241300x8000000000000000671696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\BinProductVersion2.31.1.1 13241300x8000000000000000671695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\Publisherthe git development community 13241300x8000000000000000671693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-archive.exe 13241300x8000000000000000671692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\BinProductVersion2.31.1.1 13241300x8000000000000000671691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\Publisherthe git development community 13241300x8000000000000000671689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-server-info.exe 13241300x8000000000000000671688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\BinProductVersion2.31.1.1 13241300x8000000000000000671687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\Publisherthe git development community 13241300x8000000000000000671685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-ref.exe 13241300x8000000000000000671684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\BinProductVersion2.31.1.1 13241300x8000000000000000671683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\Publisherthe git development community 13241300x8000000000000000671681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-index.exe 13241300x8000000000000000671680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\BinProductVersion2.31.1.1 13241300x8000000000000000671679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\Publisherthe git development community 13241300x8000000000000000671677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-objects.exe 13241300x8000000000000000671676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\BinProductVersion2.31.1.1 13241300x8000000000000000671675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\Publisherthe git development community 13241300x8000000000000000671673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-file.exe 13241300x8000000000000000671672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\BinProductVersion2.31.1.1 13241300x8000000000000000671671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\Publisherthe git development community 13241300x8000000000000000671669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-tag.exe 13241300x8000000000000000671668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\BinProductVersion2.31.1.1 13241300x8000000000000000671667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\Publisherthe git development community 13241300x8000000000000000671665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-symbolic-ref.exe 13241300x8000000000000000671664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\BinProductVersion2.31.1.1 13241300x8000000000000000671663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\Publisherthe git development community 13241300x8000000000000000671661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-switch.exe 13241300x8000000000000000671660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\BinProductVersion2.31.1.1 13241300x8000000000000000671659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\Publisherthe git development community 13241300x8000000000000000671657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-submodule--helper.exe 13241300x8000000000000000671656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\BinProductVersion2.31.1.1 13241300x8000000000000000671655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\Publisherthe git development community 13241300x8000000000000000671653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stripspace.exe 13241300x8000000000000000671652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\BinProductVersion2.31.1.1 13241300x8000000000000000671651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\Publisherthe git development community 13241300x8000000000000000671649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-status.exe 13241300x8000000000000000671648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\BinProductVersion2.31.1.1 13241300x8000000000000000671647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\Publisherthe git development community 13241300x8000000000000000671645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stash.exe 13241300x8000000000000000671644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\BinProductVersion2.31.1.1 13241300x8000000000000000671643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\Publisherthe git development community 13241300x8000000000000000671641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stage.exe 13241300x8000000000000000671640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\BinProductVersion2.31.1.1 13241300x8000000000000000671639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\Publisherthe git development community 13241300x8000000000000000671637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sparse-checkout.exe 13241300x8000000000000000671636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\BinProductVersion2.31.1.1 13241300x8000000000000000671635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\Publisherthe git development community 13241300x8000000000000000671633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show.exe 13241300x8000000000000000671632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\BinProductVersion2.31.1.1 13241300x8000000000000000671631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\Publisherthe git development community 13241300x8000000000000000671629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-ref.exe 13241300x8000000000000000671628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\BinProductVersion2.31.1.1 13241300x8000000000000000671627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\Publisherthe git development community 13241300x8000000000000000671625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-index.exe 13241300x8000000000000000671624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\BinProductVersion2.31.1.1 13241300x8000000000000000671623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\Publisherthe git development community 13241300x8000000000000000671621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-branch.exe 13241300x8000000000000000671620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\BinProductVersion2.31.1.1 13241300x8000000000000000671619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\Publisherthe git development community 13241300x8000000000000000671617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-shortlog.exe 13241300x8000000000000000671616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\BinProductVersion2.31.1.1 13241300x8000000000000000671615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LinkDate03/27/2021 09:56:28 13241300x8000000000000000671614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\Publisherthe git development community 13241300x8000000000000000671613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe 13241300x8000000000000000671612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\BinProductVersion2.31.1.1 13241300x8000000000000000671611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\Publisherthe git development community 13241300x8000000000000000671609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-send-pack.exe 13241300x8000000000000000671608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\BinProductVersion2.31.1.1 13241300x8000000000000000671607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\Publisherthe git development community 13241300x8000000000000000671605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rm.exe 13241300x8000000000000000671604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\BinProductVersion2.31.1.1 13241300x8000000000000000671603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\Publisherthe git development community 13241300x8000000000000000671601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-revert.exe 13241300x8000000000000000671600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\BinProductVersion2.31.1.1 13241300x8000000000000000671599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LinkDate03/27/2021 09:56:23 13241300x8000000000000000671598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\Publisherthe git development community 13241300x8000000000000000671597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:18.983{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-parse.exe 23542300x8000000000000000614013Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:20.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087765A7ECA1E35FB5501D388C9BEEAE,SHA256=3C2086BB64C560D8BC74838945D07091B9E38EF6C4D25FB7D714BF11417B6CC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59f2c|C:\Windows\System32\ieframe.dll+59dd4|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107 10341000x8000000000000000673020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59f2c|C:\Windows\System32\ieframe.dll+59dd4|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107 10341000x8000000000000000673019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59f2c|C:\Windows\System32\ieframe.dll+59dd4|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8 10341000x8000000000000000673018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59f2c|C:\Windows\System32\ieframe.dll+59dd4|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000673017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59ecc|C:\Windows\System32\ieframe.dll+59dd4|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107 10341000x8000000000000000673016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59ecc|C:\Windows\System32\ieframe.dll+59dd4|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107 10341000x8000000000000000673015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59ecc|C:\Windows\System32\ieframe.dll+59dd4|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8 10341000x8000000000000000673014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59ecc|C:\Windows\System32\ieframe.dll+59dd4|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000673013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59dc5|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107|C:\Windows\SYSTEM32\MSHTML.dll+84141 10341000x8000000000000000673012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59dc5|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107|C:\Windows\SYSTEM32\MSHTML.dll+84141 10341000x8000000000000000673011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59dc5|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000673010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59dc5|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028 10341000x8000000000000000673009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59d8a|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107|C:\Windows\SYSTEM32\MSHTML.dll+84141 10341000x8000000000000000673008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59d8a|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107|C:\Windows\SYSTEM32\MSHTML.dll+84141 10341000x8000000000000000673007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59d8a|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000673006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59d8a|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028 10341000x8000000000000000673005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59d4f|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107|C:\Windows\SYSTEM32\MSHTML.dll+84141 10341000x8000000000000000673004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59d4f|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107|C:\Windows\SYSTEM32\MSHTML.dll+84141 10341000x8000000000000000673003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59d4f|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000673002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.759{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+59d4f|C:\Windows\System32\ieframe.dll+59a17|C:\Windows\System32\ieframe.dll+5993c|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028 10341000x8000000000000000673001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+12e6c6|C:\Windows\System32\ieframe.dll+5966f|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107 10341000x8000000000000000673000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+12e6c6|C:\Windows\System32\ieframe.dll+5966f|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107 10341000x8000000000000000672999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+12e6c6|C:\Windows\System32\ieframe.dll+5966f|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8 10341000x8000000000000000672998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+12e6c6|C:\Windows\System32\ieframe.dll+5966f|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000672997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+176776|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107|C:\Windows\SYSTEM32\MSHTML.dll+84141 10341000x8000000000000000672996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+176776|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028|C:\Windows\SYSTEM32\MSHTML.dll+139bf0|C:\Windows\SYSTEM32\MSHTML.dll+138107|C:\Windows\SYSTEM32\MSHTML.dll+84141 10341000x8000000000000000672995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+176776|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000672994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+176776|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d|C:\Windows\SYSTEM32\MSHTML.dll+137028 10341000x8000000000000000672993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+60bba|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+176776|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000672992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+60ba8|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+176776|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8 10341000x8000000000000000672991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+60ba8|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Windows\System32\ieframe.dll+12e7c3|C:\Windows\System32\ieframe.dll+176776|C:\Windows\System32\ieframe.dll+59913|C:\Windows\System32\ieframe.dll+22785|C:\Windows\System32\ieframe.dll+224ea|C:\Windows\System32\ieframe.dll+1fb79|C:\Windows\System32\ieframe.dll+e2650|C:\Windows\System32\ieframe.dll+11a81b|C:\Windows\System32\ieframe.dll+a8aac|C:\Windows\System32\ieframe.dll+a904c|C:\Windows\System32\ieframe.dll+a8e3d|C:\Windows\System32\ieframe.dll+a8d57|C:\Windows\SYSTEM32\MSHTML.dll+13bed8|C:\Windows\SYSTEM32\MSHTML.dll+13b79d 10341000x8000000000000000672990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.743{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000672987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.697{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7CB107DBB79D43DFD1E0C117D84C9367,SHA256=B6521EE380806DF70C3F8170023B3D45F54451FB2E2D4B5B26539F48CB3DEEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000672986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.697{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0E6CDC5F4CAA64998B505E25EB353EA9,SHA256=7CDEDE892CD970FE7020E523CAF3C6A697190BF37B24E193B37E91FB492ECA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000672985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.665{D419E45B-78A4-60B6-BF02-00000000C401}3976ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.dbMD5=48D16598BF2C32D45BC0934F96143701,SHA256=9330556B1135B384A23D99A3199D7C78D1EC0051C6834C60D4630CA9C1111A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000672984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.650{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0BB979EE2E481672BB6F24E23879E2,SHA256=143A3E4E514738325DA45DA0C597D79509116ED1464D99608107564326A57B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000672983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:21.650{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=375D813EF43955C54D31986D93B36538,SHA256=EE2F3A9CA1AFFDB24941BBF4C04B7E7129D7F5D1819AD139A113E939C99CD7DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000672982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.634{D419E45B-752F-60B6-1200-00000000C401}4801636C:\Windows\system32\svchost.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.634{D419E45B-752F-60B6-1200-00000000C401}4801636C:\Windows\system32\svchost.exe{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.634{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.634{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.634{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.634{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.634{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.634{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000672974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.717{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\BinProductVersion14.28.29913.0 13241300x8000000000000000672973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.717{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\LinkDate11/18/2017 21:37:28 13241300x8000000000000000672972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.717{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\Publishermicrosoft corporation 13241300x8000000000000000672971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.717{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\LowerCaseLongPathc:\programdata\package cache\{855e31d2-9031-46e1-b06d-c9d7777deefb}\vc_redist.x64.exe 13241300x8000000000000000672970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.717{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000a0119b997e1ff1f405659fca10378fff0000ffff\PublisherMicrosoft Corporation 13241300x8000000000000000672969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.702{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\000038c032824a8ef711eb15c5b8668df08400000904\PublisherAmazon Web Services Developer Relations 13241300x8000000000000000672968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.342{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\amazonssmagentse|9538aa2019cf27d0\BinProductVersion3.0.529.0 13241300x8000000000000000672967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.342{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\amazonssmagentse|9538aa2019cf27d0\LinkDate05/01/2017 14:33:52 13241300x8000000000000000672966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.342{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\amazonssmagentse|9538aa2019cf27d0\Publisheramazon web services 13241300x8000000000000000672965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.342{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\amazonssmagentse|9538aa2019cf27d0\LowerCaseLongPathc:\programdata\package cache\{674c5ef7-9d50-4540-a711-6b82e2469bd0}\amazonssmagentsetup.exe 13241300x8000000000000000672964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.342{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000a9678529fb5fa8569685ef3e4543583f0000ffff\PublisherAmazon Web Services 13241300x8000000000000000672963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.327{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\BinProductVersion2.0.6.0 13241300x8000000000000000672962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.327{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\LinkDate09/17/2019 05:33:38 13241300x8000000000000000672961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.327{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\Publisheramazon web services 13241300x8000000000000000672960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.327{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\LowerCaseLongPathc:\programdata\package cache\{09259595-ce26-4705-b47e-59d9e3ccebb9}\aws-cfn-bootstrap-bundle.exe 13241300x8000000000000000672959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.327{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000a32b64966830ad0100b29547ca5511020000ffff\PublisherAmazon Web Services 13241300x8000000000000000672958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.327{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\00000bc19da022eb94eca75a727b615c201e00000904\PublisherMicrosoft Corporation 13241300x8000000000000000672957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\BinProductVersion(Empty) 13241300x8000000000000000672956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LinkDate01/10/2020 01:30:07 13241300x8000000000000000672955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\Publisher(Empty) 13241300x8000000000000000672954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\srm.exe 13241300x8000000000000000672953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\BinProductVersion10.0.10011.16384 13241300x8000000000000000672952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LinkDate10/02/2019 17:37:14 13241300x8000000000000000672951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000672950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkmonitornohandledrv.sys 13241300x8000000000000000672949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\BinProductVersion10.0.10011.16384 13241300x8000000000000000672948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LinkDate10/02/2019 17:37:08 13241300x8000000000000000672947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000672946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkdrv.sys 13241300x8000000000000000672945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LinkDate02/07/2020 15:26:19 13241300x8000000000000000672943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\Publishersplunk inc. 13241300x8000000000000000672942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkd.exe 13241300x8000000000000000672941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LinkDate02/07/2020 15:13:21 13241300x8000000000000000672939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\Publishersplunk inc. 13241300x8000000000000000672938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk.exe 13241300x8000000000000000672937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LinkDate02/07/2020 15:24:43 13241300x8000000000000000672935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\Publishersplunk inc. 13241300x8000000000000000672934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-wmi.exe 13241300x8000000000000000672933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LinkDate02/07/2020 15:19:24 13241300x8000000000000000672931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\Publishersplunk inc. 13241300x8000000000000000672930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winprintmon.exe 13241300x8000000000000000672929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LinkDate02/07/2020 15:19:16 13241300x8000000000000000672927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\Publishersplunk inc. 13241300x8000000000000000672926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winhostinfo.exe 13241300x8000000000000000672925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LinkDate02/07/2020 15:18:57 13241300x8000000000000000672923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\Publishersplunk inc. 13241300x8000000000000000672922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winevtlog.exe 13241300x8000000000000000672921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LinkDate02/07/2020 15:19:10 13241300x8000000000000000672919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\Publishersplunk inc. 13241300x8000000000000000672918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-regmon.exe 13241300x8000000000000000672917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\BinProductVersion(Empty) 13241300x8000000000000000672916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LinkDate02/07/2020 15:18:45 13241300x8000000000000000672915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\Publisher(Empty) 13241300x8000000000000000672914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-powershell.exe 13241300x8000000000000000672913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LinkDate02/07/2020 15:18:45 13241300x8000000000000000672911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\Publishersplunk inc. 13241300x8000000000000000672910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-perfmon.exe 13241300x8000000000000000672909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LinkDate02/07/2020 15:18:57 13241300x8000000000000000672907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\Publishersplunk inc. 13241300x8000000000000000672906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-netmon.exe 13241300x8000000000000000672905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\BinProductVersion10.0.10011.16384 13241300x8000000000000000672904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LinkDate02/07/2020 15:18:52 13241300x8000000000000000672903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000672902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-monitornohandle.exe 13241300x8000000000000000672901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LinkDate02/07/2020 15:13:21 13241300x8000000000000000672899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\Publishersplunk inc. 13241300x8000000000000000672898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-compresstool.exe 13241300x8000000000000000672897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LinkDate02/07/2020 15:19:19 13241300x8000000000000000672895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\Publishersplunk inc. 13241300x8000000000000000672894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-admon.exe 13241300x8000000000000000672893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\BinProductVersion10.0.10011.16384 13241300x8000000000000000672892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LinkDate09/27/2019 18:25:44 13241300x8000000000000000672891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000672890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splknetdrv.sys 13241300x8000000000000000672889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\BinProductVersion(Empty) 13241300x8000000000000000672888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LinkDate01/10/2020 00:48:57 13241300x8000000000000000672887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\Publisher(Empty) 13241300x8000000000000000672886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\openssl.exe 13241300x8000000000000000672885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LinkDate02/07/2020 15:13:14 13241300x8000000000000000672883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\Publishersplunk inc. 13241300x8000000000000000672882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\classify.exe 13241300x8000000000000000672881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LinkDate02/07/2020 15:12:56 13241300x8000000000000000672879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\Publishersplunk inc. 13241300x8000000000000000672878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btprobe.exe 13241300x8000000000000000672877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\BinProductVersion2048.512.24125.32311 13241300x8000000000000000672876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LinkDate02/07/2020 15:12:56 13241300x8000000000000000672875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\Publishersplunk inc. 13241300x8000000000000000672874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btool.exe 13241300x8000000000000000672873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.311{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\00006e465eb93b9ef9ed1111015f594f733000000904\PublisherSplunk, Inc. 13241300x8000000000000000672872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.249{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\BinProductVersion(Empty) 13241300x8000000000000000672871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.249{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.249{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\Publisher(Empty) 13241300x8000000000000000672869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.249{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\LowerCaseLongPathc:\program files\amazon\ssm\ssm-agent-worker.exe 13241300x8000000000000000672868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.249{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000a9678529fb5fa8569685ef3e4543583f00000904\PublisherAmazon Web Services 13241300x8000000000000000672867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.233{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000a32b64966830ad0100b29547ca55110200000904\PublisherAmazon Web Services 13241300x8000000000000000672866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\BinProductVersion8.2.9.8 13241300x8000000000000000672865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LinkDate07/08/2020 18:42:42 13241300x8000000000000000672864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\Publisheramazon inc. 13241300x8000000000000000672863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\xenvif.sys 13241300x8000000000000000672862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\BinProductVersion8.4.0.11 13241300x8000000000000000672861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LinkDate01/12/2021 17:17:37 13241300x8000000000000000672860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\Publisheramazon inc. 13241300x8000000000000000672859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xenvbd.sys 13241300x8000000000000000672858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\BinProductVersion8.2.5.32 13241300x8000000000000000672857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LinkDate11/19/2018 22:01:56 13241300x8000000000000000672856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\Publisheramazon inc. 13241300x8000000000000000672855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xennet\xennet.sys 13241300x8000000000000000672854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\BinProductVersion8.2.7.5 13241300x8000000000000000672853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\LinkDate12/16/2019 19:58:01 13241300x8000000000000000672852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\Publisheramazon inc. 13241300x8000000000000000672851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\xeniface.sys 13241300x8000000000000000672850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\BinProductVersion8.3.0.7 13241300x8000000000000000672849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\LinkDate02/12/2021 02:15:56 13241300x8000000000000000672848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\Publisheramazon inc. 13241300x8000000000000000672847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xenfilt.sys 13241300x8000000000000000672846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xendisk.sys|eea975986c3a667d\BinProductVersion8.4.0.11 13241300x8000000000000000672845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xendisk.sys|eea975986c3a667d\LinkDate01/12/2021 17:17:43 13241300x8000000000000000672844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xendisk.sys|eea975986c3a667d\Publisheramazon inc. 13241300x8000000000000000672843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xendisk.sys|eea975986c3a667d\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xendisk.sys 13241300x8000000000000000672842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\BinProductVersion8.4.0.11 13241300x8000000000000000672841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\LinkDate01/12/2021 17:17:19 13241300x8000000000000000672840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\Publisheramazon inc. 13241300x8000000000000000672839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xencrsh.sys 13241300x8000000000000000672838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\BinProductVersion8.3.0.7 13241300x8000000000000000672837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\LinkDate02/12/2021 02:15:52 13241300x8000000000000000672836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\Publisheramazon inc. 13241300x8000000000000000672835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xenbus.sys 13241300x8000000000000000672834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\BinProductVersion8.3.0.7 13241300x8000000000000000672833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\LinkDate02/12/2021 02:15:39 13241300x8000000000000000672832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\Publisheramazon inc. 13241300x8000000000000000672831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xen.sys 13241300x8000000000000000672830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\BinProductVersion8.2.7.5 13241300x8000000000000000672829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\LinkDate12/16/2019 19:58:07 13241300x8000000000000000672828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\Publisheramazon inc. 13241300x8000000000000000672827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\liteagent.exe 13241300x8000000000000000672826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\BinProductVersion2.1.0.0 13241300x8000000000000000672825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\LinkDate05/23/2009 10:37:17 13241300x8000000000000000672824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\Publishermicrosoft corporation 13241300x8000000000000000672823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\dpinst.exe 13241300x8000000000000000672822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\BinProductVersion2.1.0.0 13241300x8000000000000000672821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\LinkDate05/23/2009 10:37:17 13241300x8000000000000000672820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\Publishermicrosoft corporation 13241300x8000000000000000672819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xennet\dpinst.exe 13241300x8000000000000000672818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\BinProductVersion2.1.0.0 13241300x8000000000000000672817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\LinkDate05/23/2009 10:37:17 13241300x8000000000000000672816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\Publishermicrosoft corporation 13241300x8000000000000000672815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\dpinst.exe 13241300x8000000000000000672814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\BinProductVersion2.1.0.0 13241300x8000000000000000672813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\LinkDate05/23/2009 10:37:17 13241300x8000000000000000672812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\Publishermicrosoft corporation 13241300x8000000000000000672811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\dpinst.exe 13241300x8000000000000000672810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\BinProductVersion2.1.0.0 13241300x8000000000000000672809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\LinkDate05/23/2009 10:37:17 13241300x8000000000000000672808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\Publishermicrosoft corporation 13241300x8000000000000000672807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\dpinst.exe 13241300x8000000000000000672806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.217{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000ecb9837aa96085e95a514805c6e0a2b900000904\PublisherAmazon Web Services 13241300x8000000000000000672805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.170{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000c27c9fa19b318e2f294a4ee09334849d00000904\PublisherMicrosoft Corporation 13241300x8000000000000000672804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\BinProductVersion7.9.5.0 13241300x8000000000000000672803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LinkDate12/15/2018 22:24:36 13241300x8000000000000000672802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\Publisherdon ho don.h@free.fr 13241300x8000000000000000672801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LowerCaseLongPathc:\program files\notepad++\uninstall.exe 13241300x8000000000000000672800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\BinProductVersion7.9.5.0 13241300x8000000000000000672799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LinkDate03/21/2021 01:15:42 13241300x8000000000000000672798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\Publisherdon ho don.h@free.fr 13241300x8000000000000000672797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LowerCaseLongPathc:\program files\notepad++\notepad++.exe 13241300x8000000000000000672796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\BinProductVersion5.1.3.0 13241300x8000000000000000672795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LinkDate03/08/2021 20:02:13 13241300x8000000000000000672794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\Publisherdon ho don.h@free.fr 13241300x8000000000000000672793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LowerCaseLongPathc:\program files\notepad++\updater\gup.exe 13241300x8000000000000000672792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.124{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000e22a0949596eef20fe03957e1f2fbd7e0000ffff\PublisherNotepad++ Team 13241300x8000000000000000672791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\BinProductVersion(Empty) 13241300x8000000000000000672790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LinkDate(Empty) 13241300x8000000000000000672789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\Publisherdon ho don.h@free.fr 13241300x8000000000000000672788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LowerCaseLongPathc:\program files\notepad++\notepad++.exe 13241300x8000000000000000672787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\BinProductVersion1.0.0.0 13241300x8000000000000000672786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LinkDate12/11/2016 21:50:55 13241300x8000000000000000672785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\Publishermozilla corporation 13241300x8000000000000000672784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\uninstall.exe 13241300x8000000000000000672783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\BinProductVersion89.0.0.7817 13241300x8000000000000000672782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LinkDate05/27/2021 19:03:37 13241300x8000000000000000672781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\Publishermozilla foundation 13241300x8000000000000000672780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 13241300x8000000000000000672779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\00007764cea13684f9dc2a58271536828ad70000ffff\PublisherMozilla 13241300x8000000000000000672778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\BinProductVersion89.0.0.7817 13241300x8000000000000000672777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LinkDate05/27/2021 19:03:01 13241300x8000000000000000672776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\Publishermozilla foundation 13241300x8000000000000000672775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LowerCaseLongPathc:\program files\mozilla firefox\updater.exe 13241300x8000000000000000672774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\BinProductVersion89.0.0.0 13241300x8000000000000000672773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LinkDate05/27/2021 19:13:18 13241300x8000000000000000672772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\Publishermozilla corporation 13241300x8000000000000000672771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LowerCaseLongPathc:\program files\mozilla firefox\plugin-container.exe 13241300x8000000000000000672770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\BinProductVersion89.0.0.7817 13241300x8000000000000000672769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LinkDate05/27/2021 19:03:37 13241300x8000000000000000672768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\Publishermozilla foundation 13241300x8000000000000000672767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LowerCaseLongPathc:\program files\mozilla firefox\pingsender.exe 13241300x8000000000000000672766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\BinProductVersion89.0.0.7817 13241300x8000000000000000672765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LinkDate05/27/2021 19:03:39 13241300x8000000000000000672764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\Publishermozilla foundation 13241300x8000000000000000672763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LowerCaseLongPathc:\program files\mozilla firefox\minidump-analyzer.exe 13241300x8000000000000000672762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\BinProductVersion1.0.0.0 13241300x8000000000000000672761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LinkDate12/11/2016 21:50:55 13241300x8000000000000000672760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\Publishermozilla corporation 13241300x8000000000000000672759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice_installer.exe 13241300x8000000000000000672758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\BinProductVersion89.0.0.7817 13241300x8000000000000000672757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LinkDate05/27/2021 19:03:37 13241300x8000000000000000672756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\Publishermozilla foundation 13241300x8000000000000000672755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice.exe 13241300x8000000000000000672754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\BinProductVersion1.0.0.0 13241300x8000000000000000672753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LinkDate12/11/2016 21:50:55 13241300x8000000000000000672752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\Publishermozilla corporation 13241300x8000000000000000672751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LowerCaseLongPathc:\program files\mozilla firefox\uninstall\helper.exe 13241300x8000000000000000672750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\BinProductVersion89.0.0.0 13241300x8000000000000000672749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LinkDate05/27/2021 19:03:18 13241300x8000000000000000672748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\Publishermozilla corporation 13241300x8000000000000000672747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LowerCaseLongPathc:\program files\mozilla firefox\firefox.exe 13241300x8000000000000000672746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\BinProductVersion89.0.0.7817 13241300x8000000000000000672745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LinkDate05/27/2021 19:05:35 13241300x8000000000000000672744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\Publishermozilla foundation 13241300x8000000000000000672743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LowerCaseLongPathc:\program files\mozilla firefox\default-browser-agent.exe 13241300x8000000000000000672742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\BinProductVersion89.0.0.7817 13241300x8000000000000000672741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LinkDate05/27/2021 19:04:06 13241300x8000000000000000672740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\Publishermozilla foundation 13241300x8000000000000000672739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.108{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LowerCaseLongPathc:\program files\mozilla firefox\crashreporter.exe 13241300x8000000000000000672738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.092{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplication\0000cfd57db9a7da9b6cf6e1372139d0af880000ffff\PublisherMozilla 13241300x8000000000000000672737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\BinProductVersion(Empty) 13241300x8000000000000000672736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\Publisher(Empty) 13241300x8000000000000000672734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\LowerCaseLongPathc:\program files\git\mingw64\bin\ziptool.exe 13241300x8000000000000000672733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\BinProductVersion(Empty) 13241300x8000000000000000672732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\Publisher(Empty) 13241300x8000000000000000672730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\LowerCaseLongPathc:\program files\git\mingw64\bin\zipmerge.exe 13241300x8000000000000000672729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\BinProductVersion(Empty) 13241300x8000000000000000672728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LinkDate05/08/2031 18:06:26 13241300x8000000000000000672727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\Publisher(Empty) 13241300x8000000000000000672726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LowerCaseLongPathc:\program files\git\usr\bin\zipinfo.exe 13241300x8000000000000000672725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\BinProductVersion(Empty) 13241300x8000000000000000672724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\Publisher(Empty) 13241300x8000000000000000672722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\LowerCaseLongPathc:\program files\git\mingw64\bin\zipcmp.exe 13241300x8000000000000000672721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\BinProductVersion(Empty) 13241300x8000000000000000672720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\Publisher(Empty) 13241300x8000000000000000672718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LowerCaseLongPathc:\program files\git\usr\bin\yes.exe 13241300x8000000000000000672717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\BinProductVersion(Empty) 13241300x8000000000000000672716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\Publisher(Empty) 13241300x8000000000000000672714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LowerCaseLongPathc:\program files\git\usr\bin\yat2m.exe 13241300x8000000000000000672713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\BinProductVersion5.2.5.0 13241300x8000000000000000672712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000672710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LowerCaseLongPathc:\program files\git\mingw64\bin\xzdec.exe 13241300x8000000000000000672709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\BinProductVersion5.2.5.0 13241300x8000000000000000672708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000672706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LowerCaseLongPathc:\program files\git\mingw64\bin\xzcat.exe 13241300x8000000000000000672705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\BinProductVersion5.2.5.0 13241300x8000000000000000672704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000672702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LowerCaseLongPathc:\program files\git\mingw64\bin\xz.exe 13241300x8000000000000000672701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\BinProductVersion(Empty) 13241300x8000000000000000672700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\Publisher(Empty) 13241300x8000000000000000672698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LowerCaseLongPathc:\program files\git\usr\bin\xxd.exe 13241300x8000000000000000672697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\BinProductVersion(Empty) 13241300x8000000000000000672696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\Publisher(Empty) 13241300x8000000000000000672694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LowerCaseLongPathc:\program files\git\mingw64\bin\xmlwf.exe 13241300x8000000000000000672693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\BinProductVersion(Empty) 13241300x8000000000000000672692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LinkDate07/19/2029 06:51:46 13241300x8000000000000000672691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\Publisher(Empty) 13241300x8000000000000000672690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.077{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LowerCaseLongPathc:\program files\git\usr\bin\xgettext.exe 13241300x8000000000000000672689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\BinProductVersion(Empty) 13241300x8000000000000000672688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\Publisher(Empty) 13241300x8000000000000000672686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LowerCaseLongPathc:\program files\git\usr\bin\xargs.exe 13241300x8000000000000000672685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\BinProductVersion(Empty) 13241300x8000000000000000672684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\Publisher(Empty) 13241300x8000000000000000672682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-deflatehd.exe 13241300x8000000000000000672681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\BinProductVersion(Empty) 13241300x8000000000000000672680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\Publisher(Empty) 13241300x8000000000000000672678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-inflatehd.exe 13241300x8000000000000000672677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\BinProductVersion(Empty) 13241300x8000000000000000672676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\Publisher(Empty) 13241300x8000000000000000672674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-agrep.exe 13241300x8000000000000000672673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\BinProductVersion8.6.2.11 13241300x8000000000000000672672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\Publisheractivestate corporation 13241300x8000000000000000672670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LowerCaseLongPathc:\program files\git\mingw64\bin\wish86.exe 13241300x8000000000000000672669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\BinProductVersion8.6.2.11 13241300x8000000000000000672668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\Publisheractivestate corporation 13241300x8000000000000000672666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LowerCaseLongPathc:\program files\git\mingw64\bin\wish.exe 13241300x8000000000000000672665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\BinProductVersion(Empty) 13241300x8000000000000000672664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LinkDate11/17/2017 22:11:01 13241300x8000000000000000672663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\Publisher(Empty) 13241300x8000000000000000672662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LowerCaseLongPathc:\program files\git\mingw64\bin\wintoast.exe 13241300x8000000000000000672661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\BinProductVersion(Empty) 13241300x8000000000000000672660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\Publisher(Empty) 13241300x8000000000000000672658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LowerCaseLongPathc:\program files\git\usr\bin\winpty.exe 13241300x8000000000000000672657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\BinProductVersion(Empty) 13241300x8000000000000000672656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LinkDate05/08/2031 18:06:26 13241300x8000000000000000672655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\Publisher(Empty) 13241300x8000000000000000672654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LowerCaseLongPathc:\program files\git\usr\bin\winpty-debugserver.exe 13241300x8000000000000000672653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\BinProductVersion(Empty) 13241300x8000000000000000672652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LinkDate05/08/2031 18:06:26 13241300x8000000000000000672651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\Publisher(Empty) 13241300x8000000000000000672650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LowerCaseLongPathc:\program files\git\usr\bin\winpty-agent.exe 13241300x8000000000000000672649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\BinProductVersion(Empty) 13241300x8000000000000000672648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\Publisher(Empty) 13241300x8000000000000000672646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LowerCaseLongPathc:\program files\git\mingw64\bin\whouses.exe 13241300x8000000000000000672645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\BinProductVersion(Empty) 13241300x8000000000000000672644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\Publisher(Empty) 13241300x8000000000000000672642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LowerCaseLongPathc:\program files\git\usr\bin\whoami.exe 13241300x8000000000000000672641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\BinProductVersion(Empty) 13241300x8000000000000000672640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\Publisher(Empty) 13241300x8000000000000000672638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LowerCaseLongPathc:\program files\git\usr\bin\who.exe 13241300x8000000000000000672637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\BinProductVersion(Empty) 13241300x8000000000000000672636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LinkDate01/02/1970 12:24:32 13241300x8000000000000000672635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\Publisher(Empty) 13241300x8000000000000000672634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LowerCaseLongPathc:\program files\git\usr\bin\which.exe 13241300x8000000000000000672633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\BinProductVersion(Empty) 13241300x8000000000000000672632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\Publisher(Empty) 13241300x8000000000000000672630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LowerCaseLongPathc:\program files\git\usr\bin\wc.exe 13241300x8000000000000000672629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\BinProductVersion(Empty) 13241300x8000000000000000672628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\Publisher(Empty) 13241300x8000000000000000672626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LowerCaseLongPathc:\program files\git\usr\bin\watchgnupg.exe 13241300x8000000000000000672625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\BinProductVersion(Empty) 13241300x8000000000000000672624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\Publisher(Empty) 13241300x8000000000000000672622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LowerCaseLongPathc:\program files\git\usr\bin\vimdiff.exe 13241300x8000000000000000672621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\BinProductVersion(Empty) 13241300x8000000000000000672620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\Publisher(Empty) 13241300x8000000000000000672618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LowerCaseLongPathc:\program files\git\usr\bin\vim.exe 13241300x8000000000000000672617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\BinProductVersion(Empty) 13241300x8000000000000000672616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\Publisher(Empty) 13241300x8000000000000000672614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LowerCaseLongPathc:\program files\git\usr\bin\view.exe 13241300x8000000000000000672613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\BinProductVersion(Empty) 13241300x8000000000000000672612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\Publisher(Empty) 13241300x8000000000000000672610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LowerCaseLongPathc:\program files\git\usr\bin\vdir.exe 13241300x8000000000000000672609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\BinProductVersion(Empty) 13241300x8000000000000000672608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\Publisher(Empty) 13241300x8000000000000000672606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LowerCaseLongPathc:\program files\git\usr\bin\users.exe 13241300x8000000000000000672605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\BinProductVersion(Empty) 13241300x8000000000000000672604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\Publisher(Empty) 13241300x8000000000000000672602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LowerCaseLongPathc:\program files\git\usr\lib\gettext\urlget.exe 13241300x8000000000000000672601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\BinProductVersion(Empty) 13241300x8000000000000000672600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LinkDate05/08/2031 18:06:26 13241300x8000000000000000672599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\Publisher(Empty) 13241300x8000000000000000672598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LowerCaseLongPathc:\program files\git\usr\bin\unzipsfx.exe 13241300x8000000000000000672597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\BinProductVersion(Empty) 13241300x8000000000000000672596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LinkDate05/08/2031 18:06:26 13241300x8000000000000000672595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\Publisher(Empty) 13241300x8000000000000000672594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LowerCaseLongPathc:\program files\git\usr\bin\unzip.exe 13241300x8000000000000000672593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\BinProductVersion5.2.5.0 13241300x8000000000000000672592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000672590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LowerCaseLongPathc:\program files\git\mingw64\bin\unxz.exe 13241300x8000000000000000672589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\BinProductVersion(Empty) 13241300x8000000000000000672588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\Publisher(Empty) 13241300x8000000000000000672586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LowerCaseLongPathc:\program files\git\usr\bin\unlink.exe 13241300x8000000000000000672585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\BinProductVersion(Empty) 13241300x8000000000000000672584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\Publisher(Empty) 13241300x8000000000000000672582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LowerCaseLongPathc:\program files\git\usr\bin\unix2mac.exe 13241300x8000000000000000672581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\BinProductVersion(Empty) 13241300x8000000000000000672580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\Publisher(Empty) 13241300x8000000000000000672578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LowerCaseLongPathc:\program files\git\usr\bin\unix2dos.exe 13241300x8000000000000000672577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\BinProductVersion(Empty) 13241300x8000000000000000672576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\Publisher(Empty) 13241300x8000000000000000672574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LowerCaseLongPathc:\program files\git\usr\bin\uniq.exe 13241300x8000000000000000672573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\BinProductVersion2.31.1.1 13241300x8000000000000000672572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LinkDate11/15/2020 09:48:32 13241300x8000000000000000672571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\Publisherthe git development community 13241300x8000000000000000672570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LowerCaseLongPathc:\program files\git\unins000.exe 13241300x8000000000000000672569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\BinProductVersion(Empty) 13241300x8000000000000000672568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\Publisher(Empty) 13241300x8000000000000000672566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LowerCaseLongPathc:\program files\git\usr\bin\unexpand.exe 13241300x8000000000000000672565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\BinProductVersion(Empty) 13241300x8000000000000000672564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\Publisher(Empty) 13241300x8000000000000000672562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LowerCaseLongPathc:\program files\git\usr\bin\uname.exe 13241300x8000000000000000672561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\BinProductVersion(Empty) 13241300x8000000000000000672560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LinkDate03/26/2021 22:24:41 13241300x8000000000000000672559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\Publisher(Empty) 13241300x8000000000000000672558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LowerCaseLongPathc:\program files\git\usr\bin\umount.exe 13241300x8000000000000000672557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\BinProductVersion(Empty) 13241300x8000000000000000672556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\Publisher(Empty) 13241300x8000000000000000672554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LowerCaseLongPathc:\program files\git\usr\bin\u2d.exe 13241300x8000000000000000672553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\BinProductVersion(Empty) 13241300x8000000000000000672552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LinkDate03/26/2021 22:24:41 13241300x8000000000000000672551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\Publisher(Empty) 13241300x8000000000000000672550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LowerCaseLongPathc:\program files\git\usr\bin\tzset.exe 13241300x8000000000000000672549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\BinProductVersion(Empty) 13241300x8000000000000000672548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\Publisher(Empty) 13241300x8000000000000000672546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LowerCaseLongPathc:\program files\git\usr\bin\tty.exe 13241300x8000000000000000672545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\BinProductVersion(Empty) 13241300x8000000000000000672544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\Publisher(Empty) 13241300x8000000000000000672542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LowerCaseLongPathc:\program files\git\usr\bin\tsort.exe 13241300x8000000000000000672541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\BinProductVersion(Empty) 13241300x8000000000000000672540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\Publisher(Empty) 13241300x8000000000000000672538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LowerCaseLongPathc:\program files\git\usr\bin\tset.exe 13241300x8000000000000000672537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\BinProductVersion(Empty) 13241300x8000000000000000672536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\Publisher(Empty) 13241300x8000000000000000672534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LowerCaseLongPathc:\program files\git\usr\bin\trust.exe 13241300x8000000000000000672533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\BinProductVersion(Empty) 13241300x8000000000000000672532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\Publisher(Empty) 13241300x8000000000000000672530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LowerCaseLongPathc:\program files\git\usr\bin\truncate.exe 13241300x8000000000000000672529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\BinProductVersion(Empty) 13241300x8000000000000000672528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\Publisher(Empty) 13241300x8000000000000000672526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LowerCaseLongPathc:\program files\git\usr\bin\true.exe 13241300x8000000000000000672525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\BinProductVersion(Empty) 13241300x8000000000000000672524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\Publisher(Empty) 13241300x8000000000000000672522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LowerCaseLongPathc:\program files\git\usr\bin\tr.exe 13241300x8000000000000000672521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\BinProductVersion(Empty) 13241300x8000000000000000672520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\Publisher(Empty) 13241300x8000000000000000672518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LowerCaseLongPathc:\program files\git\usr\bin\tput.exe 13241300x8000000000000000672517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\BinProductVersion(Empty) 13241300x8000000000000000672516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\Publisher(Empty) 13241300x8000000000000000672514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LowerCaseLongPathc:\program files\git\usr\bin\touch.exe 13241300x8000000000000000672513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\BinProductVersion(Empty) 13241300x8000000000000000672512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\Publisher(Empty) 13241300x8000000000000000672510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LowerCaseLongPathc:\program files\git\usr\bin\toe.exe 13241300x8000000000000000672509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\BinProductVersion(Empty) 13241300x8000000000000000672508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\Publisher(Empty) 13241300x8000000000000000672506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LowerCaseLongPathc:\program files\git\usr\bin\timeout.exe 13241300x8000000000000000672505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\BinProductVersion(Empty) 13241300x8000000000000000672504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\Publisher(Empty) 13241300x8000000000000000672502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LowerCaseLongPathc:\program files\git\usr\bin\tig.exe 13241300x8000000000000000672501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\BinProductVersion(Empty) 13241300x8000000000000000672500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\Publisher(Empty) 13241300x8000000000000000672498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.061{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LowerCaseLongPathc:\program files\git\usr\bin\tic.exe 13241300x8000000000000000672497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\BinProductVersion(Empty) 13241300x8000000000000000672496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\Publisher(Empty) 13241300x8000000000000000672494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LowerCaseLongPathc:\program files\git\usr\bin\test.exe 13241300x8000000000000000672493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\BinProductVersion(Empty) 13241300x8000000000000000672492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\Publisher(Empty) 13241300x8000000000000000672490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LowerCaseLongPathc:\program files\git\usr\bin\tee.exe 13241300x8000000000000000672489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\BinProductVersion8.6.2.11 13241300x8000000000000000672488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\Publisheractivestate corporation 13241300x8000000000000000672486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh86.exe 13241300x8000000000000000672485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh8.6.exe|f4af2187e95edf36\BinProductVersion(Empty) 13241300x8000000000000000672484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh8.6.exe|f4af2187e95edf36\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh8.6.exe|f4af2187e95edf36\Publisher(Empty) 13241300x8000000000000000672482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh8.6.exe|f4af2187e95edf36\LowerCaseLongPathc:\program files\git\usr\bin\tclsh8.6.exe 13241300x8000000000000000672481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\BinProductVersion8.6.2.11 13241300x8000000000000000672480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\Publisheractivestate corporation 13241300x8000000000000000672478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh.exe 13241300x8000000000000000672477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh.exe|5e019a1593cf699d\BinProductVersion(Empty) 13241300x8000000000000000672476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh.exe|5e019a1593cf699d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh.exe|5e019a1593cf699d\Publisher(Empty) 13241300x8000000000000000672474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tclsh.exe|5e019a1593cf699d\LowerCaseLongPathc:\program files\git\usr\bin\tclsh.exe 13241300x8000000000000000672473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-VerSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\BinProductVersion(Empty) 13241300x8000000000000000672472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PubSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\Publisher(Empty) 13241300x8000000000000000672470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDB-PathSetValue2021-06-03 15:29:19.045{D419E45B-F54C-60B8-3551-00000000C401}1612C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{5ad20094-020b-9d31-4e12-60dd2f69b296}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LowerCaseLongPathc:\program files\git\usr\bin\tar.exe 23542300x8000000000000000614014Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:21.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C4E6FB4001F5B1DD96030DDF4C13B7,SHA256=AF90EBA9271B2F25A840673302451244009C4043DDDCB9300FA8927AC69A90A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.136{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51262- 354300x8000000000000000673025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.106{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local51909-false172.217.14.206sea30s01-in-f14.1e100.net443https 354300x8000000000000000673024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.095{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local58054- 23542300x8000000000000000673023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:22.181{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C902ED588C0299F2D57EEEA565C3E399,SHA256=60CD339139B993BC92F0C1153A9BD3B98F0EA4C51F7E6744EE2D35A1F24C767B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:22.087{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDD5D1AAC39525A8DC43FC6F56A577E5,SHA256=F988E09FE3B80EF9D41AECD0B3CC170F038FAF2A163E8468E351132471482BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614015Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:22.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91ABD23ECDE46A0F82B5F3BB16226E1,SHA256=C2E3CBE9F3C402A4A7D24D3CC235C71209CF28FD178961928599ECB73EF03361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09A3BAA147E078CDDB3D9D5FD06FBFE,SHA256=0451A562AAE71424B0FCD51AE49FAD9AD45BF44CF38EE2170188A1C8EAE6D1DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.540{D419E45B-F553-60B8-3C51-00000000C401}69607004C:\Windows\system32\conhost.exe{D419E45B-F553-60B8-3D51-00000000C401}3808C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.525{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.525{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.525{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.525{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.525{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-F553-60B8-3D51-00000000C401}3808C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.525{D419E45B-F553-60B8-3B51-00000000C401}21686608C:\Windows\system32\cmd.exe{D419E45B-F553-60B8-3D51-00000000C401}3808C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.531{D419E45B-F553-60B8-3D51-00000000C401}3808C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 10 localhostC:\Program Files\WinRAR\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\2\_uninsep.bat" " 10341000x8000000000000000673048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.510{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-F553-60B8-3C51-00000000C401}6960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.510{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-F553-60B8-3C51-00000000C401}6960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-F553-60B8-3C51-00000000C401}69607004C:\Windows\system32\conhost.exe{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-F553-60B8-3C51-00000000C401}6960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.478{D419E45B-752F-60B6-1000-00000000C401}4166524C:\Windows\System32\svchost.exe{D419E45B-F553-60B8-3C51-00000000C401}6960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.462{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.462{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.462{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.462{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.462{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.462{D419E45B-F54A-60B8-3051-00000000C401}68843416C:\Program Files\WinRAR\th.exe{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+8e49f|C:\Windows\System32\SHELL32.dll+8e32c|C:\Windows\System32\SHELL32.dll+8e07c|C:\Windows\System32\SHELL32.dll+11c467|C:\Windows\System32\SHELL32.dll+11c3c5|C:\Windows\System32\SHELL32.dll+1378db|C:\Program Files\WinRAR\th.exe+de2a|C:\Program Files\WinRAR\th.exe+1e649|C:\Program Files\WinRAR\th.exe+17b38|C:\Program Files\WinRAR\th.exe+1c33c|C:\Program Files\WinRAR\th.exe+1c3f4|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000673031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.473{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\2\_uninsep.bat" "C:\Program Files\WinRAR\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exe"C:\Program Files\WinRAR\th.exe" -lng English -src wrr -lp thankyou -ver 580 -arch 64 -dom notifier.win-rar.com /S 10341000x8000000000000000673030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.462{D419E45B-752F-60B6-1000-00000000C401}4166524C:\Windows\System32\svchost.exe{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000673029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:23.462{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_uninsep.bat2021-06-03 15:29:23.462 354300x8000000000000000673028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.540{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51911-false10.0.1.12-8000- 354300x8000000000000000673027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:18.144{D419E45B-F54A-60B8-3051-00000000C401}6884C:\Program Files\WinRAR\th.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local51910-false142.251.33.99sea30s10-in-f3.1e100.net80http 23542300x8000000000000000614016Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:23.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942019AD4BF0FB86FF76FA14D5CD6CD0,SHA256=2F703E7F31E84DE3521CFF1B782248013FB96370CE82E60D41ADCB6688E5CBEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614017Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:24.148{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3374B005CA968FBDC13F3B37798517,SHA256=B5F1465119570F8C4870A0CED0ACDC8DAB3B41CA14516A8EC84AF839EC59BDFC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localInvDBSetValue2021-06-03 15:29:25.525{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exeHKU\S-1-5-21-3762655356-77726385-4168110057-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\WinRAR\th.exeBinary Data 354300x8000000000000000673059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:20.837{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local60050- 23542300x8000000000000000673058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:25.353{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B0A018D723DBA65FA2C8ED2710513A47,SHA256=0FA3743A844E918981A69FD4697EE725F3C5437625718ADB4EC1548EEBF17928,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614021Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:23.026{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50970-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614020Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:25.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77F4F1C988617719C918CDD253CFDCF5,SHA256=90ADB134D1E58924D1B749B1CA549D680CAF9967A83E7E972758814F92BF05D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614019Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:25.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA72DAA1E89DEE826521F52372371C49,SHA256=7E1274B107E292B7C9E1C8ADA46BCC2B60A77EE4C469685AAFDF73621A8A65A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614018Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:25.148{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880DAD98274A1A549CD8E6D2CAB662C8,SHA256=C4A43437877E2522ACE73E9F38FFDBB811F8B1CAED31047DBB51DA0D5B12F477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:26.884{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=167A6312F3DBB21F92338F10F233074B,SHA256=EC111D881B3F3F58C1E30E2899F6D425B798E7E60046645B21FCA3CA9E424609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614022Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:26.148{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B274672B75E1057736CAB604138F65FF,SHA256=B777C8FB0E582044822EF5C450E891F7534EDB9419EBC8F04AD9BB9EEDFD5BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:27.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:27.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:27.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:27.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:27.072{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614023Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:27.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F192BEC367D6A43F2E99EF8AB6D762,SHA256=39B8B27BFF64071DB5D82F28CE7F7E647454D07C11C950B6D8ADA26D2B39391B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:24.493{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51912-false10.0.1.12-8000- 23542300x8000000000000000614024Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:28.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA7B294A9DD175D1F453BE9350840E7,SHA256=9C93202E7EAC9C1952F8721FA2BDD91AAEF49E7A1BB0B1649E1FF70F7A92E481,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000614043Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.195{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000614042Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.179{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614041Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.179{97C2ED32-772F-60B6-0B00-00000000C501}6282772C:\Windows\system32\lsass.exe{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614040Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD1640B47BC7265E62B46241382EC09,SHA256=941A4B3794DB3354AE727056441136D608EE7E67F7AAC2DAE52FC229296046E5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000614039Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.179{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000614038Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.164{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614037Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.164{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614036Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.164{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-F559-60B8-6E5B-00000000C501}4880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614035Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.164{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F559-60B8-6E5B-00000000C501}4880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614034Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.148{97C2ED32-F559-60B8-6E5B-00000000C501}48803328C:\Windows\system32\conhost.exe{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614033Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.148{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-F559-60B8-6E5B-00000000C501}4880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614032Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.148{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614031Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.148{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614030Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.148{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614029Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.148{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614028Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.148{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614027Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.148{97C2ED32-9D3E-60B6-7A08-00000000C501}33646008C:\Windows\system32\ServerManager.exe{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000614026Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.143{97C2ED32-F559-60B8-6D5B-00000000C501}2080C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000614025Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:29.101{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=267757D1A86F41DA0EC040FDFD43C30F,SHA256=FB0BECB7937E943DD905EE2852CAF019BFDB6FC5559794AA4CBFDE94AF9D9989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614056Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614055Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614054Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614053Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614052Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614051Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614050Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614049Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614048Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.211{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614047Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.180{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A407D6D10E6E4310020EF5B4BBBEAFA,SHA256=6D12A7633C717641AC4C899213FDCB3CBC43447F70E9E2356A43F188BA824BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614046Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77F4F1C988617719C918CDD253CFDCF5,SHA256=90ADB134D1E58924D1B749B1CA549D680CAF9967A83E7E972758814F92BF05D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614045Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=16ACAC528FE8DC41E7DCE867E534A09C,SHA256=995EC58656B53479024EDF32C760B387DAE709D1A5DD5E17414E4AD090A04B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614044Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:30.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=53B3CD5D4DD3CCD06C01BF5A67B1C4EE,SHA256=4A410B921FD8D8C927FBA8EB2820A31B672849081B752673AB808E9A196643BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:31.180{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A697C3CE63BC5FCAAB6F9E078719CB15,SHA256=4D2055DEB49972384EB86E79135D7E794420BB720C363CB4ABC2A4B0037A6C90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:28.048{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50971-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000614057Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:28.048{97C2ED32-F559-60B8-6D5B-00000000C501}2080<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50971-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000673340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.978{D419E45B-F553-60B8-3B51-00000000C401}2168ATTACKRANGE\AdministratorC:\Windows\system32\cmd.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\_uninsep.batMD5=6224BB438CDB01B4A2EA61640F03408B,SHA256=1D126EF5C2EAF2A009762A85D1384CA6698CF18CEA179B42B907F1B9DC4E43D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.978{D419E45B-F553-60B8-3B51-00000000C401}2168ATTACKRANGE\AdministratorC:\Windows\system32\cmd.exeC:\Program Files\WinRAR\th.exeMD5=5657F521356461758DF8658043CF6142,SHA256=BC642DBE66B4A11A1836079A923FEDDF5F820CAA84077BF597D515B12AE57DC9,IMPHASH=E16FCB53D3FA776BF7BBE936C9A73B41truetrue 10341000x8000000000000000673338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.947{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.931{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.915{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.900{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.884{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-F55C-60B8-3F51-00000000C401}2076C:\Windows\system32\find.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-F553-60B8-3C51-00000000C401}6960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-F162-60B8-B850-00000000C401}4488C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-98E9-60B7-FF27-00000000C401}4844C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-A157-60B6-E70A-00000000C401}628C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-A157-60B6-E60A-00000000C401}3196C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7950-60B6-5804-00000000C401}4900C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7950-60B6-5704-00000000C401}4368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78CF-60B6-0E03-00000000C401}5960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.868{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78A3-60B6-B702-00000000C401}4112C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78A3-60B6-B402-00000000C401}4592C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78A1-60B6-B002-00000000C401}4568C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-78A0-60B6-AE02-00000000C401}1116C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-75BA-60B6-9400-00000000C401}3176C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7552-60B6-7500-00000000C401}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7541-60B6-4500-00000000C401}3700C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7541-60B6-3D00-00000000C401}3520C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7541-60B6-3700-00000000C401}3404C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7540-60B6-3300-00000000C401}3148C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-3100-00000000C401}2712C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-3000-00000000C401}2356C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2F00-00000000C401}2164C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2800-00000000C401}2876C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.853{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-753F-60B6-2500-00000000C401}2784C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7539-60B6-2300-00000000C401}2616C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7534-60B6-2200-00000000C401}2540C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7534-60B6-2100-00000000C401}2532C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7530-60B6-1D00-00000000C401}1964C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7530-60B6-1700-00000000C401}1404C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-1200-00000000C401}480C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-1100-00000000C401}404C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-1000-00000000C401}416C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-0F00-00000000C401}360C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-0E00-00000000C401}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752F-60B6-0C00-00000000C401}848C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.837{D419E45B-F55C-60B8-4051-00000000C401}40245884C:\Windows\system32\wbem\wmiprvse.exe{D419E45B-752D-60B6-0900-00000000C401}568C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.821{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-F55C-60B8-4051-00000000C401}4024C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.821{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-F55C-60B8-4051-00000000C401}4024C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.821{D419E45B-7530-60B6-1600-00000000C401}12685744C:\Windows\System32\svchost.exe{D419E45B-F55C-60B8-4051-00000000C401}4024C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.806{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B41E56F0939131D1E0570717B00A6E4,SHA256=0076A6F05528DDCCA9C46B8AE9FEEF6153BA3702FC0A7FF094C4D5E6B3E86476,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.806{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-4051-00000000C401}4024C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.790{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F55C-60B8-4051-00000000C401}4024C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.790{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-4051-00000000C401}4024C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.775{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.775{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.775{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.743{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.743{D419E45B-F553-60B8-3C51-00000000C401}69607004C:\Windows\system32\conhost.exe{D419E45B-F55C-60B8-3F51-00000000C401}2076C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.743{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.743{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.743{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.743{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-F55C-60B8-3F51-00000000C401}2076C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-F553-60B8-3B51-00000000C401}21686608C:\Windows\system32\cmd.exe{D419E45B-F55C-60B8-3F51-00000000C401}2076C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+22d44|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.742{D419E45B-F55C-60B8-3F51-00000000C401}2076C:\Windows\System32\find.exe10.0.14393.0 (rs1_release.160715-1616)Find String (grep) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFIND.EXEFind "C:\Program Files\WinRAR\th.exe" C:\Program Files\WinRAR\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=1E16116CCE7317C0E87559DA23A4EAD3,SHA256=40C0EC6D7371D316BC1F0ABE80D0236F613C9FB88DCE2D9B5D5FD4A1A59E8B49,IMPHASH=8227B3EA21F13E06E81C9AA2636A858A{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\2\_uninsep.bat" " 10341000x8000000000000000673077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-F553-60B8-3C51-00000000C401}69607004C:\Windows\system32\conhost.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.728{D419E45B-F553-60B8-3B51-00000000C401}21686608C:\Windows\system32\cmd.exe{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+22d44|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.736{D419E45B-F55C-60B8-3E51-00000000C401}4480C:\Windows\System32\tasklist.exe10.0.14393.0 (rs1_release.160715-1616)Lists the current running tasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtasklist.exeTaskListC:\Program Files\WinRAR\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=6F2FDCF651A1650FC7B4FC5A860E4D9D,SHA256=27EDDAC6A2E5A74DF67C534393B0B025B03D61310748BE016DCE348A02D30A22,IMPHASH=9C5CFDDF3336412B8046D54234415205{D419E45B-F553-60B8-3B51-00000000C401}2168C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\2\_uninsep.bat" " 23542300x8000000000000000673069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.306{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=95D788ECA128799777EABC19A53099E9,SHA256=BC6DA213C63523644F308C23C9F34630695F0052CF73E67D6A478FDFD6FA0FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:32.056{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90C786D195D490587C75736381E08BC,SHA256=A2E7BDB237EEB42F95587D23F3BAB9CCD077ACA65A5B9013260B8180431E33CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:32.180{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388CB4C9C6178B8619A457D3888DF335,SHA256=43FD4F1D9A86223E428504DECA44782A0326F7A87284B0C3676ED222BD149540,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:28.870{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50972-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000673350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.702{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local59767- 354300x8000000000000000673349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.701{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53943- 354300x8000000000000000673348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.685{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51915-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49667- 354300x8000000000000000673347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.685{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51915-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49667- 354300x8000000000000000673346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.684{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51914-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000673345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.684{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51914-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000673344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.540{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51913-false10.0.1.12-8000- 23542300x8000000000000000673343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:33.556{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F24D0AC9CCF0E88BE9DF0FCEF2F7641F,SHA256=6D58DA1B690C0078377380BA6149B133D606ED566A03B10409D4B22F32DAD519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:33.556{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC701B178E96A83A59BAD813EA0C1EDC,SHA256=5F9D27393EE8EEB270488359D201B80A09B789364DE048BB55AC0168536BFF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:33.556{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3BA449C4D0DD2FD79C1A7E44FC39D0,SHA256=C3FD18277A5A69026D01065144E6DB81E1DB4C35D696DCD1C8A69F2424C9737F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:33.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62178E3C475E82EB9A4F51DF0E7F9E6B,SHA256=4C845E51B919DB533AFAFF85B0AC8479FF79545EFDFCF13928DFC60E514B2144,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.706{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-233.attackrange.local137netbios-ns 354300x8000000000000000673351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:29.706{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-233.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 23542300x8000000000000000614063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:34.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8551F128DA86F35F45F10759F0D29549,SHA256=E42B4720DE9BDDFAF5CD046360529E7BFD44C42B34ED1ED8F43719E71C4DD2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:35.853{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3999A70A487E18E653D85D4B09E9BD,SHA256=76CACE522247F79503F701412F87175F6FE271DE1BC53DFBD91061C1384BB7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:35.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACFB08E1AC66F55C9D5AE191D116FA0,SHA256=22E3DE7239C6354C6359ABBD95BAA7B278CDFA7E7332DDF2F7320921222D5B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:36.603{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09104A4056710EEC9E995D54B230A42D,SHA256=852E8AB687E6FDFD979EA2669CEE4D7535C4E516C26BE20888ABBA155DD039DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:34.042{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50973-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:36.430{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B507881BD986762348B6498C39441BF,SHA256=7917773C7819CE9D272A8239628EA7DD3AE30DF5D43CFB58D39183F313AA68BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:36.430{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC77289C234F3288B05FC91324E9E49D,SHA256=A55FDF60DAC972D8E974F315A65C4D732FA91908B8B242EEC341327446EAA573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:36.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D144D063F7A05C69B21D88F610A68EE4,SHA256=4499E9271BC7FA6D12EAB8D5B5E46344E74B025A0C51EEB6EFAB294DB11B4D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:37.446{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829A18B8BC034BD2C1FC4AD1301F0D31,SHA256=77E416DF03B176CEB01ED914C48E05F60D8F95D0E615172D545D461808A19DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:37.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46C9BB9C15099AA3AA3468FC91FE248,SHA256=1230A5A8E5E665642F6D21579E99889A6C0B5766CB8A0641E5611478ABBC2653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:38.243{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D85A0B85D06100ACC122227B0060BD,SHA256=5F6E5F6D5045DC60962C3D23C32802DE7888F3565C1C9C0FCEE96265313ACE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:38.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F436D307943B81F1E4C94D848E4614,SHA256=DB12AF0687DC7C32E3A838528BC605A253C1B5DC1D3CD881ABFC8A85A79E7DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:39.712{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E68F361E41F13254B2FA3C82A90A3A,SHA256=312351B1D069645771BD1A2F93C0D1778C2B5ADD16E3F354D5273C7F2E15FE63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:34.681{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51916-false10.0.1.12-8000- 23542300x8000000000000000614071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:39.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96190232731196BFB553D8C49574529,SHA256=158F81033EE5900DE7DF3283E51947716E70A5C2ADD7B05B978692EC94A8369C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:40.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8105BE03E7B29391F80001C9628C39,SHA256=12F6F5220B4178BAA8B4EFBFCAF7A35E331A8DCB4A11A74207E832E9EF2FE28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:41.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD50382DFDA833BC3104C11FD7B7528A,SHA256=A974DF08BB38CDBD4EC34D06B738D8E41D73D789287F145380F92A2B51192019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:41.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F24D0AC9CCF0E88BE9DF0FCEF2F7641F,SHA256=6D58DA1B690C0078377380BA6149B133D606ED566A03B10409D4B22F32DAD519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:41.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A77CE8E08BA333C5764D47BB93FDECE,SHA256=9BB6C5FBFDFA163A51236FD19FE54E6F34FB4D6F19C635D2B8E6A1B6C27F0069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:41.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE35A2346F4C1DB3102253C481480C9,SHA256=D53135E7764E0A86126FFB99F345232D760D31BBB3A8207ECB6FC39A57EFE57A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:39.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50974-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:42.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A0ED397BD48120834F11B6DA3F093B,SHA256=DF9CE5B47129F43A9A334E6F995D6DE072D55E6CE8C2BB700CB3FBBA52BB12F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:42.044{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7786C5B30BC3ED282672DA007F90BF13,SHA256=06DF49DFE5F4F59BDF8D6D98FCA8ABDF8B94379FE16D6FA8CC78F3C05B9401F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:42.044{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B507881BD986762348B6498C39441BF,SHA256=7917773C7819CE9D272A8239628EA7DD3AE30DF5D43CFB58D39183F313AA68BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:43.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992E69410673A6FD8383DA07870CDF61,SHA256=51634C6D9DB36F97E76BF0E37B9F6D3F001EB52908F9C9C8004025856E4434A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:43.216{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2355F60663AF6F19F068DAB022BFECD,SHA256=9B56BB34C986136452A091EA153C21F644B5C7DEED9B8700F12E1E08A2E4111A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:44.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25514AC547AF66613A8E2BD5FDE3F45C,SHA256=DA6AEB26F38D8AF64A2BDA33751E04C834D52F18F3CDDA9EFBEB16A354125625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:45.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1507F711EA4DADF1A86BFC540756FF78,SHA256=3AA0E83EC972D4A176148BD7DE8CAC6EF71CB015CD532AB9F2E454A1AFDCD549,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:40.701{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51917-false10.0.1.12-8000- 23542300x8000000000000000614080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:45.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A039718928D8CEC624E7F04B4284107B,SHA256=E514F283130B3EC484F95347C8DBD93A8B842D9B8EAC639DD891F0F96E78664F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:46.592{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6E0ED8020CD49DFAA24898F7F38461,SHA256=399836CB2B821C4C2CC13132A1D347BF076C20516A8756AAF956B97209A56087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:46.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5788D03CA3374597EB068892F163B49,SHA256=D2B059CDEEB17CBA9F9DD228515E304DB6D535778ABAE1A764F552DE47A1EFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:47.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57473EA7A2F032C689CE345D83A893D3,SHA256=621BBC254912D618982E5FDBA0B870F6C964BF5A4266FE46C6B0E5296AE8175C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:47.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD50382DFDA833BC3104C11FD7B7528A,SHA256=A974DF08BB38CDBD4EC34D06B738D8E41D73D789287F145380F92A2B51192019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:47.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A409113CDC59E8B4C0D241267409DC,SHA256=81AF87FED4EC61BD3D9322AE3B93B22DF37420A8CFE1DBC023235708357AA428,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:47.404{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:47.404{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:47.404{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000673366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:47.404{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x8000000000000000614085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:45.078{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50975-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:47.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AF08CC95D9CA1627C7AF5C1D1A57E0,SHA256=C25E6486C24F969B375F7E6E2BA84969D95E0411AC95C646FF662CBAFFFABA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:47.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9B034BBA3D9755C5775C6EA5B54B068,SHA256=90DAF884E980A0674EF15AA83580A29C640991D8D81B7979B22ECC0BCA4F2B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:47.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7786C5B30BC3ED282672DA007F90BF13,SHA256=06DF49DFE5F4F59BDF8D6D98FCA8ABDF8B94379FE16D6FA8CC78F3C05B9401F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.590{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F56C-60B8-6F5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.590{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.590{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.590{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.590{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.590{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F56C-60B8-6F5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.590{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F56C-60B8-6F5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.591{97C2ED32-F56C-60B8-6F5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:48.262{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1361D58DC6781B7DAF05AA7061E3FD,SHA256=99F5BD41DF620939550286E7599D37D8F90DD9E93749CB0C8DFB923F5D9704E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:49.326{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2CC6960CAE8EA3F6180F2C7401335B,SHA256=E5B90FA0B586A8D2BD7ED0A4F8083C0F4EA2FC51310486C021A4F97ADA1BEE76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.934{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F56D-60B8-715B-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.934{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.934{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.934{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.934{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.934{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F56D-60B8-715B-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.934{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F56D-60B8-715B-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.935{97C2ED32-F56D-60B8-715B-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.606{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9B034BBA3D9755C5775C6EA5B54B068,SHA256=90DAF884E980A0674EF15AA83580A29C640991D8D81B7979B22ECC0BCA4F2B50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.387{97C2ED32-F56D-60B8-705B-00000000C501}53725312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.262{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F56D-60B8-705B-00000000C501}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.262{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.262{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.262{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.262{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.262{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F56D-60B8-705B-00000000C501}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.262{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F56D-60B8-705B-00000000C501}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.263{97C2ED32-F56D-60B8-705B-00000000C501}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:49.262{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194E16DC657DE443FB245222D58A903A,SHA256=A923758F0D46E0A2836458910D30CC691203E0A66C5204907D21ECBE8875AA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:50.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C86BE01DBFCA0525ACB4A8309155E6,SHA256=89DA5583897A7454EBE1C685D56477BEA874A3542B633023D613F3BA6D88C5F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:46.498{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51918-false10.0.1.12-8000- 10341000x8000000000000000614122Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.606{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F56E-60B8-725B-00000000C501}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614121Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.606{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614120Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.606{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614119Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.606{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614118Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.606{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614117Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.606{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F56E-60B8-725B-00000000C501}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.606{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F56E-60B8-725B-00000000C501}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.607{97C2ED32-F56E-60B8-725B-00000000C501}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.262{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE4FEB9A133A9338835C9A03685225A,SHA256=11EDD2960F363E191198708DBFE999C5473FF787ECBB2ECB1D67A3A35EA27AA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614141Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.950{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F56F-60B8-745B-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614140Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.950{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614139Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.950{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614138Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.950{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614137Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.950{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614136Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.950{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F56F-60B8-745B-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614135Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.950{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F56F-60B8-745B-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614134Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.951{97C2ED32-F56F-60B8-745B-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000614133Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.403{97C2ED32-F56F-60B8-735B-00000000C501}9483884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614132Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.278{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F56F-60B8-735B-00000000C501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614131Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.278{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614130Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.278{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614129Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.278{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614128Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.278{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614127Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.278{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F56F-60B8-735B-00000000C501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614126Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.278{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F56F-60B8-735B-00000000C501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614125Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.279{97C2ED32-F56F-60B8-735B-00000000C501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614124Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.262{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252037BF74F93614E2773067A9948DC8,SHA256=45104A474F3EF1B2A22560F2F55076A9DC3AAF7999BC6A041B7C3EB8BC65F8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614123Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:51.153{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984AE83C82E6367056FB565B3C22C2F6,SHA256=10B050676F4B79351781BC37B1AC5F7DE8A93F08E6F978D0A69BE3ACD1A6DE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:52.061{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57473EA7A2F032C689CE345D83A893D3,SHA256=621BBC254912D618982E5FDBA0B870F6C964BF5A4266FE46C6B0E5296AE8175C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:52.061{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62805E60EE0F7316B26A7D7FC263F0AB,SHA256=FB3DE52F02F3A0AE5A5D24E216BB31668249B41A9DF09DD74CE7D7849A553006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614153Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.762{97C2ED32-F570-60B8-755B-00000000C501}48283636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614152Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.622{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F570-60B8-755B-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614151Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.622{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614150Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.622{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614149Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.622{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614148Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.622{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614147Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.622{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F570-60B8-755B-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614146Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.622{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F570-60B8-755B-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614145Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.622{97C2ED32-F570-60B8-755B-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614144Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.512{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15222B82C9E5C016DD9374416987D17A,SHA256=2C6B800308743777B45F07C4D036E9470DCE0DCB1F7B16B7664D89BDAF244523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614143Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.262{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5D7269179CFA5C40F0CEB5526D4E90,SHA256=36F44ACF24017444B086541913400EF18EB49DD77833B1412C1B6813598F0CF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614142Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:52.075{97C2ED32-F56F-60B8-745B-00000000C501}43644836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:53.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3E3A97285A42A92B4F556E9F5F52AB,SHA256=C37646FB9609FECFDABE59B463BF6A7C48458F2B63B2D7453A87158A2E8E434F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614156Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:50.922{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50976-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614155Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:53.653{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63E064D3DCE722F30DE616C90B25127F,SHA256=E15285AD35F27AFE7CD4766246E50732C1FAE0E8EEAEFE5C154B48C6AF56E7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614154Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:53.278{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279FC57CE35D68A5D40CFAAD29BEA322,SHA256=145A15294FFC2DC1D0E0BA733A8DE8D334EAE9BA77BD26C778C025718D2C6A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:54.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612930B70C3ADE6D3F3D1DAA31926256,SHA256=E849D5D1F568FE384DE1A3A1A814F7A66D1A6AC2B3F8BCB141778088D0C6045C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614157Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:54.278{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F8476203636C46D54B0C04A7DE65AB,SHA256=439537305774C314565A0F98F6FA67C33E59A79E4FABE93362380441F8ECA821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:55.842{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E56DA0F232CEC9C967B0475B08D70B0,SHA256=26AE528900934DD5095BADE27333F92253EC3C4EDA9206FBE1A46D0107EFE1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:55.811{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D18980CDF2AB76FA18E8E6F64C60EE7,SHA256=5A31E8B83824396172DF8EB40692E16C92F8E6AE28357F7139EAEB5DD2183BEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:51.639{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51919-false10.0.1.12-8000- 23542300x8000000000000000614158Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:55.294{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3709231EBC73746A8626DC3D3DEC9A,SHA256=C12F573831D034870A735B724F05EC0986BE211E48623E566FB9F093D62C02B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614159Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:56.294{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F86A90AB395D5FA06C05006BD90AD8B,SHA256=A5D633A27B8EF1633CFA696B8CC37B3103D1A9D1D0ED5B2370F7E4BBBA76DA02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC0F778594E332EBE9E91C0ADD934B8,SHA256=08764D6658A302385386D1AEC9B307E2C60CF3D0D4DA7DBD01E5E347E8243BC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.342{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614160Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:57.294{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89320837238A2F8DA8610C4EF96C990,SHA256=98371FE2BAA6D7220892E077C236C0CC37DA17FEAA247C09BC42CBB0DB228C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:58.889{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12FE92175F0E4D3C9571E48CE729F0DA,SHA256=F2B04B4DD15A924A5518EC66E4D5F4DA20BAA6D85A3FF58D1DD78CD92ADD038E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:58.889{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42A739A864F9675DC0C1EAFCCAF77C9,SHA256=566B7010E6A7CD672FC994A07157498AF0860031FD6CA96E4849EBC25F54F8DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:58.545{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:58.545{D419E45B-78A4-60B6-BF02-00000000C401}39764516C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:58.545{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:58.545{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:58.545{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:58.545{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614161Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:58.294{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA9ED80E453B19CBAF23AD91FA7EC97,SHA256=BDAAB8C85A6807221A59533D40C2F1A114C8C3A9B4FB7780F3B72AE11BABB636,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614166Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:56.937{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50977-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614165Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:59.434{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614164Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:59.294{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AD468A0AD8D6BD748715669F30CE9E,SHA256=2CDFB2FE78DB3425B039FE6C92CF6F1716DB49E8F8ABE650007AF555CE610E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614163Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:59.137{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=752E1484E5C7A42DD9C423A62D283CD5,SHA256=CF16D781571B874F41C59706EB76BAFFF878B7C42FE164BF8F3EBBF1486EB1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614162Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:59.137{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0211F435E79A45328F1D5CE03EBFBC1,SHA256=D6B3567D20B7816AF235AC37E88006AEBDFF038AA626B5F63FD94AAF0B1BAE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:00.925{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DBB45BAF55B858361D2E1183E35C5AE4,SHA256=AAC7998F75068DF23E78E7D5FF8661EDDD1F5A238A2294892D80489E2007763E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:00.253{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA18081E43F6002549A8A998485D968,SHA256=B7EE61EF895E83101435CFFE91194F47C17841368D98EC0A8F44B635F8A227CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614168Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:00.439{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=752E1484E5C7A42DD9C423A62D283CD5,SHA256=CF16D781571B874F41C59706EB76BAFFF878B7C42FE164BF8F3EBBF1486EB1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614167Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:00.298{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50FDB8281AAB305D5B2FEF0873B67A2,SHA256=1E37D5D4600591151D4DCA9E5EDF66079652F2F5751ED28F4DA1A0C1189C51DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:01.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E650D19B677C5907CAEDDABF80AB0C6,SHA256=CD071880273451267758AA4F98502BA6D790E1B5795777DBDFEB571AF3A27F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:01.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389C017F4A9BA30BF975FC11D8A2F092,SHA256=ED8C13B8CC97E5F27223D9071A6AE411852E8D8794F0C2A8F823B80CABA3972D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614169Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:01.298{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665E8E0F460B9DD3A32E5B782CB941CA,SHA256=276CF8CABA6B3275F3A14BAC1665F54BB378F608DE9ABD5B6EC303D2D5102D1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:57.643{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51920-false10.0.1.12-8000- 23542300x8000000000000000673433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:02.440{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614172Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:02.486{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1F98FE3C4672C1AFF93AB11CB56EDB23,SHA256=18FAE67D3686FBF68ECFDDA9141BE97545691EF0F746E675CFAC3605A2EC568C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614171Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:02.314{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDD480A835FB3A6FE9856990D3D4018,SHA256=624AB99A151274FA020EB864AF62A7A352E1AC79033E3F9EE33F602DF3D9438B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614170Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:29:58.266{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50978-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000673436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:03.690{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2142FA712A15B7178BB4BE18B963345,SHA256=83AEDE35943FFF55E2A350CD340AEA76191CCF3E615B03510CC66C44EE5E7903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:03.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA05F77608CC3546DBF5F66659871C0,SHA256=C765A41A842E061F02DC0B301ABD304871822664706C7B5E01B99940908EBEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614173Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:03.314{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB376261FC0D24584E0A33A9D565CE24,SHA256=27C04A97D396F9E74625AA8884CE25C74F0F1A0D667D25D895E065ED0D035DF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:29:59.878{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51921-false10.0.1.12-8089- 23542300x8000000000000000673437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:04.378{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCC9EBA038AC06B0FA3C655758A4472,SHA256=7F1FB535A8A7348D1F81B91EA6C59297E6C86207185F3A844129A57B6F4652A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614175Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:04.314{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64DBDE5A4F43FA451527ED99DB9EC12,SHA256=4C5D7C857D7F2AFE4B32C045B2F7E59E793E0622281AAC1C31C9654216941F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614174Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:04.220{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B60EF1BA742CC462E84D7DB802CCE2E,SHA256=F40D011BD796773EB6DA5026E0941874B999CA1C2CFAF6E223C1AE7DCABFE81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:05.753{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1C9B1AA5AAA808D5D67C1A858B1275,SHA256=C5C46D990E07C9BD7C5656918A71EC4411A901EB0A646C577AC2BF7C70F7671B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:05.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44303283ADD57DBD1D5F825A8A17991A,SHA256=47D0CFC828FAEF943A905633199AF784F9863BAC5A4623C4AA58082FD832565E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614177Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:02.020{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50979-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614176Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:05.330{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBED5600D830D26F4C6828518EE840E,SHA256=CB98686EFE4479665717010A58C3F1518EBAA0B2F0EF5BC3FF1F8B871DB4A34D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:02.674{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51923-false10.0.1.12-8000- 354300x8000000000000000673443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:02.581{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51922-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000673442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:02.581{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51922-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000673441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:06.425{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B4AB31ED166C5D4E56A01D75B5A1AA6,SHA256=BF4F2CD93EAC57438AA0EDCC5A64026241FAA432854F3EB8F2D4716C4090E395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614178Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:06.330{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDAF08DBAE6C9BEFF29518164672148,SHA256=30AA57E06EED4804DCCF0DC0BCDA37B7C32D3D06D25D07892821544F9D9038EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:07.784{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FECB222987B74231249D796E95DA2DD7,SHA256=E24019E2E6BD7ED4F1AE0EB4A9D6C5A1311684FA5E1921F081861824F3663E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:07.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6ADD6F86A21798A7FB1EEA033214AA2,SHA256=2CC061904534EED626CADB9FC4A8D0224BC29EFC3AD1561226B3B616FDC353AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614179Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:07.345{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13AFE80DC7887E934BF63CBCBBEC8FD,SHA256=A4733A62CFCAB892A880C7D8873FFD5C43920EA7CB3E7CA405CA9A4BCD647B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:08.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31433A903193D8E822FB769183A13DC8,SHA256=B3BF6AA9B2C31E0CBE1BB6AD232A6BD28BE934856AD1BD581F1337141BC65262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:08.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826D7C599C30B1A810A0DAF230298F64,SHA256=781C25054DF8DC036B4C315C2A5837C0B2944E2331A0EA8A033EFF0D5F51AC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614180Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:08.347{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD85462F2558B87AA3F5F4F2AF1D6DA5,SHA256=36ECBDEFC306E11CF7A9D407AE8EBC6A6B1C360324995466A6FABC252B0CDC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:09.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE0FA4FF34593D65CC9AF957F9764F9F,SHA256=DE04F8CA604D977431D0BDC0BC30A55C09924CD8A0DAF1EF7192260860CA285B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:09.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92117C5571A0037345C846D5C1F2A36A,SHA256=C25E85849442E501FC55AEE2642C6458D6DFFF9C9BDCED91775722429DD7C5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614181Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:09.348{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4F385473B4EDD576D710919B4A05AB,SHA256=10C413BA943E9F9A709965AA1E7D2F1D25909094CA4E15FFC2DFAF00779831E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:10.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0055F74EAE5C779EAE3F0C37A8EC89,SHA256=700E524B70D6DA3C5A0AC973446B46AE693800B3D5E55037ECED948600141AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614184Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:10.350{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ADFB2B29C16A9DCAA206EB1FAAAE20,SHA256=9B2344CB759370C30FFFA5ECA195E0E88B9176D460ABD94B704CF315EB8B3D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614183Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:10.004{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7032BBB45A92974F6E22AF2E5D3C0E96,SHA256=28F93A7992112DB4DF4426A43511DFD3289829572074C6680477FF8AEF48AB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614182Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:10.004{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10D60CEA223840EB2F32BFAFD2DA19BC,SHA256=2044C8F6AC17B087833C9F8473226D2A7E383C0D1963EF9627F5C0D37102EBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:11.942{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EC94F1E5B24C7B59BD27ECF68813844,SHA256=CE2AC9471DE03E105D199BB96AB390B75F87B6BC670C87C1EBF284A4439E465D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:11.896{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768E0DCDCEC65EC8621FB7B4C2D6F26A,SHA256=C76D8E56E8E3CC05E54AE6A4593D273817C19CEE8CF3E9BD9A0196C54EBCF9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:11.206{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F6B581165F53E9DFC37C33C225CADB7,SHA256=DFFCE89A0F47FBE3A1DF3A3E2C89CFA0EDB4EA80947FB8461E09F31B1F813AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:11.206{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA17662E6C6A9530722C3D3A2214742,SHA256=C49EB89EC00EFF3C7EEAF78BB597D5423DB339981EE31351FC1A1A2FEFFFC93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614186Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:11.350{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F00CAEE5AA15A70925F9EB7618398B,SHA256=281C8DE14016C77DCCB23904BCF1A7D250BD02253A80DE0BFCE426B18E0990FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614185Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:07.850{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50980-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000673458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:12.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E031C33E0CFFAFF4ED95E48A0C7CDC48,SHA256=6DBEEC1F4D0119940A0A944EB647ABEC4FE9817D2B7BE38CCD1130A7282BD583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:12.567{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A5D4BC79BF4E11D974F31F0F9112F9D,SHA256=0C51E4A7C1B4981D0EE163C66E72590A64875F6E80D696F72A162008466AAFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:12.567{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA305E14ACB8F3714C19F2EC84B050F,SHA256=9676DC3AED794D46186E52C2E6CB6DD011A49A1C09B80EDE86ED4C4209AF1ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614214Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.741{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0904F9EF1C583C70B939DA81E8D545F4,SHA256=2CEBAAE25310C74A0878DF2992E24D87CE5472B82062A1C772F653315A016079,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614213Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614212Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614211Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614210Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614209Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614208Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614207Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614206Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614205Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614204Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614203Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614202Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614201Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614200Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614199Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614198Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614197Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614196Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614195Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614194Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614193Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614192Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614191Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614190Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614189Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614188Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614187Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:12.116{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:13.267{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6C7E2D6C7791E6ED205ABB66B9300BA,SHA256=18BD343FDD4B93405B7D5C76D3AA78E8A2B4E1D2A706CFBF850D036D072ECCB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:08.580{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51924-false10.0.1.12-8000- 23542300x8000000000000000614215Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:13.756{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E904494E36852B6C90C401DDC0775902,SHA256=78BD3ACFB9042C6ECE063851ED890A71D99DC975C0126013897854B7538CA4F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.475{D419E45B-F586-60B8-4151-00000000C401}58165516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.303{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F586-60B8-4151-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.303{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.303{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.303{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.303{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.303{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F586-60B8-4151-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.303{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F586-60B8-4151-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.276{D419E45B-F586-60B8-4151-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.271{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F5DE7D1C32783C42935EBCABFB6A52,SHA256=979E312A59FDE792DED96F5233CDC43821069265E509C4C8EF1CA235D0E23502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.271{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F9165AB1B98A2DC541B919E8D3FB1F,SHA256=8705739514D968EBF053936B4B77AAA15C71209136E77B6403C3E3D3968BBE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614216Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:14.756{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405CA707E4EEF5BDCBE3A61BCAE34CE8,SHA256=D62D1F3B1D50E48591EE41D381E5018ADCA5CDB55DB3132621D6DCC04D76D8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.771{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924E83D977AE03FEDC5891527EC4CEFC,SHA256=3582A156E9BB0649A5260B7C108D8A534257164CFB3660749D24A1728C25DF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.771{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D18876A4B78A063E822B04529D9D38D,SHA256=5239F02128C46CD00A7D5F8CFFEF4A6F56D0A3267CA93827DAF127BAA83DC36C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.756{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F587-60B8-4351-00000000C401}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.756{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.756{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.756{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.756{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.756{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F587-60B8-4351-00000000C401}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.756{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F587-60B8-4351-00000000C401}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.617{D419E45B-F587-60B8-4351-00000000C401}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000673482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.240{D419E45B-F586-60B8-4251-00000000C401}65121932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.115{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79663CA22EA2CFF00D1C1C8C05A115D3,SHA256=8DFD1F2FCE829A984527AB2E61E41AD6F671D5996CF25DAD1DD2BF7A82484A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.053{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=505735B080E66622E2E71DB1207754CC,SHA256=28431CBA87971C48D19F70C3ED93E42EBE5D3A84DA9DC30C2F4C6B691606550A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.053{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F586-60B8-4251-00000000C401}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.053{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.053{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.053{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.053{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.053{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F586-60B8-4251-00000000C401}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:15.053{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F586-60B8-4251-00000000C401}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.915{D419E45B-F586-60B8-4251-00000000C401}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614219Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:15.756{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AFE7F4BCA69610B64DBC3ACA729E34,SHA256=3E6D8FD783815D414E392B2CD446B41275FA2F4034CA3332871BC40236178075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614218Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:15.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1CF76BC9A369D4AA0E78075F3DD467F,SHA256=262451E8E8FCEF53B9CA79ACC3BEF673B47B31751D5BB2E985A4C83B69366CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614217Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:15.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7032BBB45A92974F6E22AF2E5D3C0E96,SHA256=28F93A7992112DB4DF4426A43511DFD3289829572074C6680477FF8AEF48AB66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.990{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.990{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.990{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.990{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.990{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F588-60B8-4551-00000000C401}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.990{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F588-60B8-4551-00000000C401}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.977{D419E45B-F588-60B8-4551-00000000C401}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C50BFEB3B65507D3982D6E580BA1199,SHA256=6601210EE17E304FD889B6A3E2594CCD2409DA502E019061204AF3A9CD090FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.662{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8993EEF39BD1DD4E4FAA42AB1B6945BA,SHA256=17E7AB9C2F19D6378AC3DE7F03509E60B60C8F4FA5EDA1BE4C25D5BEA2C885C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.460{D419E45B-F588-60B8-4451-00000000C401}14484376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.303{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5443ECF3510A2ED3D43A3EFEE0801F5B,SHA256=0FB47A093D73708F2D6D12DEBBDD82E04ABCC974F8C64635FF8BA0AB39D99F12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.303{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F588-60B8-4451-00000000C401}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.287{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.287{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.287{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.287{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.287{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F588-60B8-4451-00000000C401}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.287{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F588-60B8-4451-00000000C401}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.289{D419E45B-F588-60B8-4451-00000000C401}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614221Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:16.772{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4672D61102BF9CCCFD3DB0173704C76,SHA256=B3B222002128A7FCEA1E158EF357930F0C2DB41CF35C84154AFEDE46A9B8251D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614220Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:13.058{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50981-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000673522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.662{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F589-60B8-4651-00000000C401}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.662{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.662{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.662{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.662{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.662{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F589-60B8-4651-00000000C401}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.662{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F589-60B8-4651-00000000C401}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.663{D419E45B-F589-60B8-4651-00000000C401}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000673514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:17.162{D419E45B-F588-60B8-4551-00000000C401}22045204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.990{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE822EE974B9AF171E11F2AA4C9FE51E,SHA256=D7AEBF64B9661393317E621D771AAF0971D202DE4C8E74D0B23E0C19FC35D8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:16.990{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F588-60B8-4551-00000000C401}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614222Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:17.772{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC95522AC3A37D96FA8472083A46738C,SHA256=A2A27B9E991EBF4EDFFE4AB8DB3877537CB2C0FED486B09A9069F9FEB691B596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.725{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B7A836ED7A98A10940CC1E3A4C31C13,SHA256=E7ED043C4759A3D7025920447DBDF8B0ED5C889B56BC4B0F675831423EBBCA47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.365{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F58A-60B8-4751-00000000C401}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.350{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.350{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.350{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.350{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.350{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F58A-60B8-4751-00000000C401}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.350{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F58A-60B8-4751-00000000C401}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.352{D419E45B-F58A-60B8-4751-00000000C401}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.350{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FD4528F20187C48FEC8748CC5AE79E7,SHA256=0E581084C0AB000A2C6A703A8F61A7867A017742CDF1F7E233B9FE6923794DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEA66EBB41EA7DB79FF0847876A89123,SHA256=F6A32704486B5BB51F775AE9DC6770DD3896A18CE9F3CE9192D79FA3A08F35AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:18.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314AFC47240BB04A31775B144D4793C6,SHA256=4A1E9E8C5071F2FACE00184B663582B13F4A19E081F67CE9CA9DBF9EC217EE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614223Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:18.803{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34048AD2EE2B190A6AEE39B435D83A79,SHA256=943DF2C1512409BFD004F7979C77A460BDB64873BCC735A7F98A621E2CA8EF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:19.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7516258555541337EECCFDA38BC6943C,SHA256=8B186F34280A097BD0E7EDCA2DE18333FA3F6E2062E73906DA3079BBD29E6D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:19.147{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21255A4C66C10CCB66BB312B6AA03D3,SHA256=3B6C334216DDCBBF57DEF56909FF73FA564A1FD1146BB58F132F80860C483E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:19.068{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40BEFA48C30A99D3110F131D51212A62,SHA256=4C311DBFA56D4269C617DA1BB2174376D42C161C4F2D0265509E6275558343F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:14.568{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51925-false10.0.1.12-8000- 23542300x8000000000000000614224Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:19.803{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2D3491D10F8BF969FA7F823D2180C3,SHA256=49E634F0796C9EDB24B5B17938789B4B8ACCD2795594C1BE82AE945505F4860A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.937{D419E45B-78A4-60B6-BF02-00000000C401}39762252C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.937{D419E45B-78A4-60B6-BF02-00000000C401}39762252C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.937{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.937{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.937{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.937{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.781{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3CCF5C3916FA3BACC435211F72BB403,SHA256=563746910240F5AFF5D8BF5FADC81F5F39F316F7549D495DE050C055FC9380BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.156{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA494ED1A5618F0BCB06B34AD963DF86,SHA256=2AFE23018475C95E75FFEC535367A0C8B1F2DCDA42A77030A7E08E7139A81E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.156{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A6EA21534CE7BE916656DEC072E5CC1,SHA256=78FA8B5C6B09D48BBC14D8C2420DFAAD15FB0F2E78402D48BF9BD3F5F87C17E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614225Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:20.811{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E92B1438FCFB700069523B8C3C8B95,SHA256=D3C26CFDC5FEB76A3F61AF734E6D49A1EDF3600E0DE18F63F7797279E964653A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:21.406{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C49AEB1C574F825A51C5CC78B5A53B85,SHA256=DA1E6CD3B29D2126561479D6D0CBAE1DD0446F08A904987209ABCA171FCF5EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:21.171{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59DD49B04070769DCDE1D691F8B518FF,SHA256=80A08DAE977C9359F084CD614C00EC4AA09C98AF10750BF609D8830333414A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614228Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:21.811{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D78551D1DBFF42F657D903BB7B3AA88,SHA256=82C85590CE50C92876065F80549268FEA11E65E2DEBC38F8BB3F9F720943FF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614227Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:21.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BF66F21B78D57D0B50FDCE2395B1220,SHA256=73E6DD5C578F62B798550AC984FE70B3E24B4D3260371B6AB8A08F6AB64310FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614226Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:21.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1CF76BC9A369D4AA0E78075F3DD467F,SHA256=262451E8E8FCEF53B9CA79ACC3BEF673B47B31751D5BB2E985A4C83B69366CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:22.874{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32796D491E1C9CA3AF89029124CF1793,SHA256=894B07020B37248E029AF6BDF3051E0ACB8FE2A874FB561B7AAB94E21855CB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:22.249{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83B989BD34581608CC1D6D5EF184410E,SHA256=A22F2C9A27A9619A91C48318900DC726EBD3507A075C69C402D9AD4619737BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:22.171{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D77BEB2D836D05CA1239A3B3AF69F86,SHA256=FBB4A96CFD64FBAA7DA2B3A3FA8D3833654659485BBF622F36DD12F07FB474FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614230Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:22.811{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A4086CADD52F8AF29A1A14B086C4DA,SHA256=A93E21D7F39108E7180F576CBA0CDF24F2B11DDC32FC5025C1EE52C2C032877C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:22.031{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEFE96C0EE6454892954921C21405947,SHA256=4C40E2371E58AC5CADD086764F3768A993EDE4C486EE17D829009AC22536549F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614229Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:19.033{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50982-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000673555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:23.234{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B54BE93E3E0789696E03AA87E99FDB4F,SHA256=AE59B17157DC71743E024DC3E217F38C601FEE17D7EEC506E5AA0ED57A2B925C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:23.234{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103AB09F77E6BC074E26D148BA324F7D,SHA256=9FB534261C4904C913AD75504ECEE6E2204FD7B4DB2753388A787E1871B3D7F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614231Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:23.826{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9105DC95D6D46921155FCBD0FAE30E2E,SHA256=26F10B3C5E5C6F88A5E86AF7E3BC4C4034D9E018F27E50B298365E7C9C718AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:24.421{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C3CEBC0784BA88BF0FA27433904F05,SHA256=C1EC6491D0DEC07512C0D9A9FA37DB1B16892818BDA60ABEE167A40781EBBF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:24.406{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EB8B4996E142B8E5FF6576A0147838,SHA256=C795A41B870E8C2C1537FFB92964A23EB6B8F14373C83FDA0F2FAAE9A62F45C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614232Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:24.858{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3C3AC8D43AA54F975460632F88E49E,SHA256=1C742505390F2A28D96490723001C52B4F63E3CA372A4FE9D09433006DE33D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:24.374{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E60F66176803D3020A3D1BC3CBCB3923,SHA256=C70B0087F8DDCB730E0D7C191E93ADF2AEBD12B4614BE96CF7EFEF89548B7DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:25.843{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2745B05A7C86C5940E64DA170C618844,SHA256=5BB411FB87DF8B44130761F9D62DEB966A83BDF2C6653705A97CAD5B55DD4C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:25.421{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE119F6946533F8EE231535D2690F5E,SHA256=D32B21EEF6180A7C8AC9A83FEF20D8850E408803A5E7036A8D959386F36115B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614233Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:25.858{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B768CD9A7CDFB53AB7A26DCD59909533,SHA256=DB4C54C1CC37B433E09C82A0BF2B4A5EA2ACF52A7CFB468C8C26B899E75D3538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:25.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9EE598D667BA77EC24443FA2944CB8A,SHA256=2477B671544F20ABB1A7F387B68AA9AF9E1B2445047C90F7DA0727E1FBBD65D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:25.046{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1ADFCAAA5AA08195C0B0545BF243CB,SHA256=23D0936494F6FCB6B67DB9DF05804C51A2B9FDF6F9880299215FDC60E91A9AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:26.437{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281A62325B399226BA66B000B8E500BA,SHA256=991C8D939EAB3D31456AAF4C99336EAC3F8FA2C31E294AD5B5374C92E102D927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614236Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:26.889{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6333776DBF5A845AF89EFFE9058FA5,SHA256=D6DA65D4435ACEF39751CC5330C306954418F1713DAD98DE7035CE079DB1A9EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:20.608{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51926-false10.0.1.12-8000- 23542300x8000000000000000673563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:26.218{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17F1C526E823B605C3D49924361FEDDA,SHA256=180830723091DE3E33E4F14B0C2614F7A40608681ACED956824B322D1DEF5608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614235Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:26.405{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E093E5524672AD9B213B7562563ABD3,SHA256=89652C340404C016540891DAB7B0AC15377DEF74C8C808E7266D8EF2E6AABAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614234Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:26.405{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BF66F21B78D57D0B50FDCE2395B1220,SHA256=73E6DD5C578F62B798550AC984FE70B3E24B4D3260371B6AB8A08F6AB64310FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614238Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:27.889{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B87D42803A05806423FF245562F2FF4,SHA256=A8EB21892C058775394B2919525A4F350C28E4332E8C96F621D79A0F4E240476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:27.468{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC6FA6CF5D1A73BF49E9AAD7C96721B,SHA256=9521D3AF5C272BA4CEAC2CC6DBECD3AA549BAD56B92F5549DB9E9E9F85268525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:27.296{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6A8657333C9A0377BFA149315E6ACBA,SHA256=77F2BD4E694F9A1AF7C9D0D04FC7B05A3C5EB50C1DD27CA68E1E55A0D0AC3E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:27.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC1DC695FD1A8916F05A9DD66AFEA8F9,SHA256=78A31FE8B89EC9A89129BC5E27C8DFEE7645178091526B2C00994C89D4D4F03B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614237Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:24.048{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50983-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000673571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:28.484{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92046E5E951553245A9099BD5EBE66E2,SHA256=81C4AC58BEC06820EACAA62883D56E0CD0D0C8DA69EA7F3BB2C7474407C3A5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614239Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:28.920{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2097F1EB52513BF3054FA24237374A9,SHA256=8CF5F5BC0D948AA8E258A02AC7E5CBDF81ED90CAF96B380DF278731BA36C1A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:28.281{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=181170EB05D10EF6B078F0F57B17AA33,SHA256=A2D6D79C7F0D097D45DBF287602C909B3A0CD3E8404FB93BEA4D5C3ED4EB940D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:28.140{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4F77F4C5143C471DC4B9C92E07C6CE3,SHA256=A15C4B61C19A27DECE41A3E91FDA30320318767F927917CB214EB59F46B62566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614241Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:29.951{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3E06956E8FB1E428F5ACA47B4BE0BF,SHA256=CBC7E7B3B3F0590A62CE5188FD512A1A6AA89962EFEBBE9B92D72CECE1462D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:29.921{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D317EC713C7D5AA1B562494BD855193C,SHA256=20D6ACAEC9CFFE5A9074C34F0276DA5110C42163DF445EEF50026A54CA5B9D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:29.531{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CA477D4B8D19765C40AFFEF83F0182,SHA256=EBD82F36636D929401D313864CD3259BB7591ED442F2A8F2F13D6DDA171EE706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:29.343{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D904A45E5B028DE7250CF60DEB7B9BD,SHA256=9B7361226D5E8E58CF2D5D7FEA0DC6FD4284728D0009A5ABB0ED4D7EEF21AFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:29.124{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A969BDB83D00338D9AEB618812554C33,SHA256=CA2249B0533E3659A350279392A0351A78F4A61E28B95D5E511E015AE30EBFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614240Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:29.170{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9bdc526.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614245Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:30.967{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AF54AE53DA666DDA9F1FC696221A3D,SHA256=33E7D712C2DD5EFABE9F165152883093E38507AA2AF04C4664224EA88F4BF9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:30.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E057E5D67B4B2A30EF45C11DA9A37C,SHA256=F2A30C4B1E27D4C484CA0F8F9331DFE7F0BB252C7B15F30B41AA763A60C1E953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614244Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:30.514{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2D98C7885AA353F6C0FCC00CB28F48B2,SHA256=6A6D7FEF94DE8039E4F5F4867ECA7B4AB285CB8C402A5859EF2405C660884CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614243Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:30.514{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=16ACAC528FE8DC41E7DCE867E534A09C,SHA256=995EC58656B53479024EDF32C760B387DAE709D1A5DD5E17414E4AD090A04B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614242Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:30.404{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E093E5524672AD9B213B7562563ABD3,SHA256=89652C340404C016540891DAB7B0AC15377DEF74C8C808E7266D8EF2E6AABAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:30.296{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F8EAD1EC72E09F1BF7FC8B4A003EBC6,SHA256=9073C5CFDCA5C9D7710E924E183B354E3EE375C4F19503356FD63AC920C6548B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614246Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:31.983{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA858D137386B84C9405D3EB658D0CA9,SHA256=5E408A5F7283BB29EEE8638407E508417D51B8A68FB0A0E0260BC7C8B76CE031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:31.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24BEA4499B6C4BF266A0A5E11FE5FBEA,SHA256=84CE1F9A67C75C32E5F5549F3395826A24695A2E1ED7B32C4140332C0956C873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:31.562{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89439BA22EABED717C5621B3C55E20BD,SHA256=F32E848097EF0F5BD0511DF1F2E6B02CCCFB8C21C5BFEAEF543C6F04C6EC8C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:31.374{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B41B9D5F4363ECF1A0170CE8E5FCE1,SHA256=8F758AF7867C60D765B43AB0E21FDC736CDD9BA06E155AF494A73026517B6828,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:26.592{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51927-false10.0.1.12-8000- 23542300x8000000000000000673578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:31.015{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D888834FCAFC083A8A6BF1DBF38A5950,SHA256=A5D11256C20332A57F116F71A3452A60B0FD42E8F844AD6E8ED53C09EEF56666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:32.577{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B564DACEF3C0E32D3F999C3CF9727AE7,SHA256=15A51E8F22EA6986034E59E5EBC9ADB231FFBD096A50E394A24A448C5669E1D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:32.577{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370AE65C0863E61A1AF2453A7B38E223,SHA256=03C892E0510566D853873B3ACFD300D7F014CDB7541CD672F6CE18F2A785EE0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614248Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:29.955{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50984-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614247Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:32.201{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C026150E2F395E9DEE7DC4FF3E354911,SHA256=974EE88D35FB3B3DB7E23C042F3011443FE6F3CFB533616FF79396DAB41D9EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:32.312{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A5A59ED91FAB21EDEBA73F3C4D68F85F,SHA256=6D03F004D3271D1E00D358D54C85FB9AF718512DBF0C4ADEA466DB18D07AA8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:33.796{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A543816F25C50C24750C3F0E2CDC59B5,SHA256=D6B1ED10AD36DD2990C8957BFBBB59D0BCE48306A1979E2F9600C5F7AC226B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:33.718{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0CFBC92F56D6C05C5EC172A3ADC88F7,SHA256=ACF14B0944C24239AA6465AF5F5FD6AA4F3D78D0031907264430AE0FADDD8ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:33.718{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B3854B7C069A4E6D12570FC7F616A9,SHA256=5816F3070F5660D0E31956FF483EA336707812F31153B6A20D4FB8E50CF49E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614249Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:33.014{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDE38E3EEA7AFD48EC810F19A37B01F,SHA256=57FEB5BD0BC8CAA8CE8DAA2099C6368447C1E707EAA1CEEDAFF8704A2C3A93A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:34.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D0A037FE30F28B377746A1E47D93BEE,SHA256=BC2C0434928CFACF51DA43D74FE7775F7705EEF2A308E1EBA827CDF04B831609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:34.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96564F8591D8EFD4E1497C7CEE3BC453,SHA256=658DC6D99CD35FE1315B76C142A38EDF05123E6E6F59FD9C85E71093CB951FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614250Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:34.014{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C274A705BC604858AFC5383B1FE3073,SHA256=F70DAD8AA0246E79BEB7D5297B75C6ED9CA9AAE218E7893770C20F93D8E4FC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614251Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:35.029{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D86F8698C297C67040AE6542502B6F1,SHA256=59A8EF200285A42A172D2B5A21E7379971E5ECAA2056BA928E3F30AF526607EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:31.686{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51928-false10.0.1.12-8000- 23542300x8000000000000000614252Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:36.029{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FB80783FEBEF5A429502B636E1B023,SHA256=B90699E74E3593D318F4C8F0B4EC73E5A1CEE9925C3C7579FA318107539E8444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:36.093{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=272CD9FB4AA3DA055B86FADC78704FB6,SHA256=B8B4C59326F66F557570BDF119A2E2D0A209F6643AA1944701CD7EF95AA3C9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:36.093{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DD6F4E09CD3056E723E3EA87BEFAC5,SHA256=D214CA71959F7D9F6A1DC3207AE968D16334BE8FE3D3E87F27C548DC3D25B4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:37.234{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=095367D97EC7FB63CFC2C21844FE35DF,SHA256=02BBD24E34D9C1FBEC4964614D26CAD87BEEC0A1799AC852BFDB32EF7B7F93AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:37.234{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25B4D94EC7A6250A3CC38A89B6CFA07,SHA256=F452950F91EDC6BAA0F6AF63A7AE8AF82A826C6A41F188EF96CC4ABAD89DE195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614253Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:37.029{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36BB469128696A5B8F671F4D4663BAC,SHA256=D36722C0CA0363237DE5E8831BAF9F962BF23CFA5D6FE2F772B405F0EA8F0EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:38.374{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D33E85539C33F771E82B5F0A68A44BE,SHA256=2E853D085DE4F1C895B95AD765AA558E2DD56F3C6C53D716833DB6D06EBEBDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:38.280{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42D962549E2EA84226699B869FA1992,SHA256=1F79147E670C084F4E876027ED6436E6DD5DFF50926C876D65480FC8BFA70A78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614257Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:35.908{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50985-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614256Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:38.295{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA02BC078A44898577ED8F8CCE782F01,SHA256=BFFB3B46EF2E8C4AC9CD34CBE40074BCBA5E848425D9CA6F7B894AB2EE3AB7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614255Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:38.295{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED32A84350FF61229B94E9DFE4214537,SHA256=362F29413E3576B2B1E0972575FEEE25A1C1F4B66A80A4A364EE437C6B6C88F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614254Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:38.045{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C851C4455CC0C1EC324EB092AAFDAB,SHA256=0B797F8E76AAA1905E87FC3B872EDBF2245E537901BCEECBC9388F3095056E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:39.515{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26ED19CAFF38319673BE749B41CEE99F,SHA256=8D76CAF843F26F98B79075C7B79E1AAC175F41CBEF007F97371D260F53A922A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:39.297{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84DA5683B08D5920991C873C68A5DEB,SHA256=DD1D545F22FA50B5BFEDAD6D830888DDFC3F185219F863091D6FC5BDC615F09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614258Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:39.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEEEBB53139C4E617BAB76018A3B304,SHA256=F2A515FD0F738A2B7AF350500F3179D26AEE8C97122FFA3094155F60F607BE39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:40.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0E687998E76BB249EF721F9BDBFDDF8,SHA256=0F3C0748907DFC4B2E639E1CB199D871FC6876E8529813E6483291A8D1C325E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:40.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2699809B7C3C77EFB4AF1CAA1255B126,SHA256=2DD3438D797EBA814236194D9B791A3E2F9F932689719C31901E90853CA06277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614259Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:40.127{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9388B47EFF0F9591AEEC22D01311B5,SHA256=298992AC0C53A2129994A7939EAF0D284C202B88DDEAA541CAC3F1E5E2A56E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:41.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=296AC8A367230E6867A46129EC165F71,SHA256=FE7EF3555A68D4B9C4269C9E0FDED6A456CA9DA0F9FB65A75F129B70CDB300CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:37.534{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51929-false10.0.1.12-8000- 23542300x8000000000000000673602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:41.394{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DC024D4CA4C4B29283CECD329D0B07,SHA256=00B4BD1F0D53417D8CF668AE1C0C8FD0AFD9EB6AFB55C083FDC9DB195A1D7A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614260Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:41.174{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96393FBDF9FB7055FA7C141A21C609EF,SHA256=D554D3613ED8288D261B8E2FD67851BE984E0E9FEC12C2803CC71BB77D7BCC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:42.863{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0805F67ED9E81B18465AF688D4EB8C6,SHA256=BA23297836CC44C435AA79443D1ECB7E35DD30E93AFA09F9D80C26BA6C8D7938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:42.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041CC857CA94B22D574A508C8BF5B2CD,SHA256=2688EA1978879B0D3A4BD206ED4D419BB36665EA5CE5522D66CD6A07E844E109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614261Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:42.174{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57CAC93740790788D5E6D6BB4CC0705,SHA256=725430D835C1548A74996E60944AC0463B164E011FC79ECB116E1DE73B749009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614264Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:40.990{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50986-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614263Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:43.189{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA02BC078A44898577ED8F8CCE782F01,SHA256=BFFB3B46EF2E8C4AC9CD34CBE40074BCBA5E848425D9CA6F7B894AB2EE3AB7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614262Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:43.174{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123262EE98EABABCDCEA851D030D176F,SHA256=422136575AF84B20EDEB29A64C9E54E8682A6BB22C626429F3BBC1C1B220D684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:43.425{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA63FF849382F801EAEE8268BA223AF,SHA256=3CEB42B848DA8934C62C1DF132BFC1A8A13C6277DBFE1C8C9BF929ABF27B95BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:44.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A398980355E4B6D0D94295BBFAA490A,SHA256=71506790D8207856FCAE03BE4F7413112D56B108726808F63342ED7C3B5B9EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614265Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:44.205{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52BE2497165B7B4EC7E8076C3AE3932D,SHA256=522FD328C9F7E6ACE3906875CF8862EF204607B5E061B7F909C7D97BC45CCD27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:44.113{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3198F9811FF21E0A229238FCEF987259,SHA256=3B3320EF57AEF2BD8C4BA9DCE2DB003B36BBE634A9F6065C844C7C8B737F32A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:45.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CA1F66BB4C71D3FA7BFFDA6E6DECB7,SHA256=428F30E9ED9F5B4EF35CE6185E0981CDD69B1A0B09B968A2DA867338AC3C443C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614266Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:45.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907CB350D0030426AF9B36869188922F,SHA256=E0F00831921FB92348AB2018759312A79B294EC48D7F9ED13D6DC35FBC9474F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:45.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5462074B21FB04A1F57337460C3881C,SHA256=FFBB827B87C2EF33C16DD221DC1FB777EDB2DA9A399DE6C54B1A185CB9A793E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:46.675{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=497DAD51F727D0ED58F552D10477E259,SHA256=415EE9F257569FC21C3D817894E69FA081FAB15C9B00544C0A3BFC987E67F183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:46.503{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7CF86A285AC86D80B14035BCD9D137,SHA256=C0D0DF3B5C1327A6A2FB0605E1701E9226B997638B13F2B67B6643BC7C712AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614267Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:46.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E778A3FF867205B442BEBECBD30D15F,SHA256=35C987C9AF28CC64962FAEEB3E8441B19F41D4EF728BC6DF98469DADD84A0FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614268Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:47.299{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB31B70FA41CA4546974EF30D61429BA,SHA256=132F841F1EB995430670E9C854B6159A32B54E967C000CD661B7631FB6EA815E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:43.503{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51930-false10.0.1.12-8000- 23542300x8000000000000000673615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:47.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5764295EAE566E57DC4AD78C61B4EFF,SHA256=D249A3B3A2FCCDB6D93B5F4B27843C3E9E0857E7476E49928E59F106C5FB0B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:47.519{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1493BE9ED82C4229155CCC91DCA77FC7,SHA256=661E15CF1AA4D9BB16E3A22C6EE9F7AB08795A3D3C3F83B65D17E5B9F78582C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:48.519{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA04C070094AD75B4180C213C099EE1A,SHA256=D9FC1BA5C0F7B19CBD2F355C8A0222C4BFCE03A24B9EAD786884732920C0E86C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614278Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.752{97C2ED32-F5A8-60B8-765B-00000000C501}40762984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614277Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.596{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5A8-60B8-765B-00000000C501}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614276Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.596{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614275Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.596{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614274Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.596{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614273Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.596{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614272Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.596{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F5A8-60B8-765B-00000000C501}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614271Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.596{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5A8-60B8-765B-00000000C501}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614270Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.596{97C2ED32-F5A8-60B8-765B-00000000C501}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614269Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:48.299{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56381B554272129D353E937CF678F33,SHA256=9F319420E75D68C67C7201114C3C616BBC734E973F5BC316AAD36304AE6113B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:49.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443453CE57BE5604FBC42B764192710D,SHA256=2C50C6B002A41CE798EBD7A40F68AFB260877C1BC25404DD1C6A4B006F3C7231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.939{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5A9-60B8-785B-00000000C501}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.939{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.939{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.939{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.939{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.939{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F5A9-60B8-785B-00000000C501}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.939{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5A9-60B8-785B-00000000C501}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.940{97C2ED32-F5A9-60B8-785B-00000000C501}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000614291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:46.912{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50987-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000614290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.408{97C2ED32-F5A9-60B8-775B-00000000C501}25365396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.314{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0993E350C2BB5856EDD42630DA3276,SHA256=27C71E6C1F03E934C22CC553E60DCFFD911E1311AB4ADD4D97645136AD57ECBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:48.988{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=492A2F1D5523CCB053F4D852126DEADE,SHA256=A610CE3A8F424CBE5027330467BB35824715265C44872AF5B60AEBCBDC8BDADA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.268{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5A9-60B8-775B-00000000C501}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.268{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.268{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.268{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.268{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.268{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F5A9-60B8-775B-00000000C501}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.268{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5A9-60B8-775B-00000000C501}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.268{97C2ED32-F5A9-60B8-775B-00000000C501}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.174{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAA0990B1145D510D6B360B645A4D021,SHA256=08777E232E42C8FC50E93DAD1B58BCB5A0C331098207119CD895C23414D48CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:49.174{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F837A80EC06F85E2F44734E78B857410,SHA256=A0382AC074C5FBBB4F42EE62168CE644B95B14CDB648D9804CA3F09A42CA2250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:50.644{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DDA67342F1C241872860935ED77D76,SHA256=EC163256AB18553FD0D24C1114C93E221FA4A44D1DE341B47918668C0E25C870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.486{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5AA-60B8-795B-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.486{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.486{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.486{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.486{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.486{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F5AA-60B8-795B-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.486{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5AA-60B8-795B-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.488{97C2ED32-F5AA-60B8-795B-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.330{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F7B228BDF5E5A07FC6FF3B8A17B7DC,SHA256=997CE188F5598860949FF57374E79158BDEAC5727612D006AB81661A8BB809A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:50.206{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D34CF88D0C42FEFD44B0CC0BBDAD970B,SHA256=DDB0CCF92CE555A1FD555CE558884F7FA75E70B912A012A3A5EC35D4097F8A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:50.283{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAA0990B1145D510D6B360B645A4D021,SHA256=08777E232E42C8FC50E93DAD1B58BCB5A0C331098207119CD895C23414D48CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:51.675{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CD9B3FD922990B6FB417AB0F62D62C,SHA256=7515215E5C8877A8F61C47D616C5BC5B1C74A78B20FB9601BADA1B79ED810A60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.830{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5AB-60B8-7B5B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.830{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.830{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.830{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.830{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.830{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F5AB-60B8-7B5B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.830{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5AB-60B8-7B5B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.831{97C2ED32-F5AB-60B8-7B5B-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.565{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B049DD5892A36474FB0DAC5A788AD4,SHA256=6EDFABE29367E2B64D04FDF2D6C810BDE6D534E00BC3077371A7AF5356502BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.346{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6394F52BAACEFE7DE69CF2B3907D03D,SHA256=E327C528BC4C2491511E6533A211D5EB463AD50309D035EFE6BDFE19B2E72509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:51.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E709F78DC4E865458DE41966A2A9BF59,SHA256=C55E17880F95A249B15067E2B41518A9D27DED69DF2D4133A0A484989DA73679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.283{97C2ED32-F5AB-60B8-7A5B-00000000C501}52484552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.158{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5AB-60B8-7A5B-00000000C501}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.158{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.158{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F5AB-60B8-7A5B-00000000C501}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.158{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5AB-60B8-7A5B-00000000C501}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:51.159{97C2ED32-F5AB-60B8-7A5B-00000000C501}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:52.941{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A6CB76D2A78E931D232BCDA04B4CADB,SHA256=D0B09DDAA3F546652B35F1316AA8165CBB2D451F935F6718C263B60531BF147A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:52.941{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C892FB29975BC12462B27F5EAFB3C972,SHA256=B46994DA9B51871B9BA7237B30EF64A4834D29D47E56ED20E2C8FEEAC36A0D92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.643{97C2ED32-F5AC-60B8-7C5B-00000000C501}59245688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.502{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5AC-60B8-7C5B-00000000C501}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.502{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.502{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.502{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.502{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.502{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F5AC-60B8-7C5B-00000000C501}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.502{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5AC-60B8-7C5B-00000000C501}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.503{97C2ED32-F5AC-60B8-7C5B-00000000C501}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.361{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B9686FC5A6615201B3752D30A03E0E,SHA256=19A51A9A87AFB2F614678144B5324CE35548725D8463C149F9611CE6AE877BCF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:30:52.550{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000673626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:30:52.534{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Config SourceDWORD (0x00000001) 13241300x8000000000000000673625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 15:30:52.534{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_368F3813-04AC-4615-AECE-5D3085605520.XML 12241200x8000000000000000673624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-DeleteValue2021-06-03 15:30:52.488{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x8000000000000000673638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:53.956{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9B0FFB2A160C24AE39333C2705D016,SHA256=4CC95E7146C57C45EC1A6E22DD9220F197A04B96514D2C34D0CFD4F034C35665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:53.377{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394F037FC7E8C2BDA7496CEA953449C5,SHA256=F869DF63194778BD0B9E4D562C74EFD52FBEEEA199799ED72CF80C5DC6E3F9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:53.644{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4439035FC14074DD60B2E326DF7EADC2,SHA256=3E27D6E4FF681DF81281FD63FDE2FBC5BF08845A2C3081A746C01C60EA16A53B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:50.007{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51933-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000673635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:50.007{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51933-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000673634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:49.988{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51932-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000673633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:49.988{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51932-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000673632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:53.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A617D58E656272DB370619882558B2A0,SHA256=549BA5B2363002D3E566A00BC109BD262F7FAFB4A00076E299E3A341173632AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:53.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=78BDB4BA3741A9DE1CD425ABC6A36DD7,SHA256=D83752F96314D04EDB4EE743540E7481312A1C63D6D071E19BC58476DDE6EC56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:48.518{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51931-false10.0.1.12-8000- 23542300x8000000000000000614339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:53.080{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=306A286F2BBFB750EBED4B6DCF017805,SHA256=DCA808D932FC35076D982C7083B7FF21753B9ADE1BC808456585C4AB264A53DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:52.084{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50988-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:54.377{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A7B682C693D386F3CFC1BF452283C7,SHA256=3613E52FE5027A77D8F877E05A0292A41A1290BCDCE86BE7AEA609884DCDF347,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:50.014{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51934-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000673639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:50.014{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local51934-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000614341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:54.252{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14E227B793A7E484AE5C8D751C7A816D,SHA256=7CA53DF1A32522E42A84DF7E4C69A9B6B41A689ED0FBE7220FE622A2CECF4339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:55.393{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82ADF0AF41F46EE8791E81575984D522,SHA256=07F613765787C25008785D1C5A2C4AD15F83C791BB55954A6A2E4514B8077DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:55.159{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=227D6E6DC29048E4489CB1E935F34EAD,SHA256=85A2C7B65C7028929D503CCE437F9F29D5275313154631A8BEDDF5A823CBA2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:55.159{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BD86A21491B87174C74B31A5CCBA8E,SHA256=38BA745937D4DEED24084A1E0BFC121C087D2E0DE4CDD10325987B2464DA68AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:56.424{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B5094C6EEA55289FD9A4178C37E1B8,SHA256=6FA0AED29798821E87CB92ABDC0600F3EFCA088791C6AD56CB1E848D7D28B8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:56.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FD9827CCC389F651E35A96576A1E49A,SHA256=0338B79F660F9E4835098924613B92920E682E41A7A922383BC160FB8F43D001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:56.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4CD3A76C05E2B0984783F4DF5297A2,SHA256=8C8A496B1DF173C54DDD2EAC410108194CF12713F9A6FC55E161E8A19B793141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:57.424{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D3646CC4B1066E8C06C7A3C13C1202,SHA256=BE8AB38DE130E3BF4819EA6CB4AE978763D51FC1269AF9E74FCF99A5E61651C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:57.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218D5741AAAA2C7AA7037DBB738EE890,SHA256=C2489476AD425427F82B1E912CCBC304DE6F44451F2E937F8F8DA7A16DEBEC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:57.362{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=369A822930C7A934206BAF5DEA80C476,SHA256=AC8BCA939AE6F5B98F40A61E87FEC2116C36CE653E8FB4EEB919A962AFF0C530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:58.440{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C8FF89860F802208A377A9F24AC45C,SHA256=939DDD86CCAAFFC5E90E638CB976A98F3DAA76C20377FAD851C7DD3321BC3E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:58.489{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=164692BF090376EEA7C6828C9A423809,SHA256=5708611961AEEDA2E4FF16BF2E9178A4E308CD32B5C9549ADDA6EF9F162E0FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:58.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1D269357214AEFBC7FC03E3A228EC3,SHA256=32452494BB406CA459863AB697C9D4D3F704111E59CD00128BC3EF343A3BB53E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:54.518{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51935-false10.0.1.12-8000- 23542300x8000000000000000673651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:59.597{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8237D832DBB6305479E6D3A9D626F2E9,SHA256=A95C12C5D9928CB85973939DD94A9DD26894581E335424D87EB50FE991D3EC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:59.487{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AAEBC36B2ECE1E44CE23C58510FD32,SHA256=7A27F4D104D7E41A36E5D60B715C47D4745A7FCA57C551A0B531C7CF1669DF17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:59.455{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:59.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABA642D4577B9CD3A1E94FA6E083441,SHA256=7ED71FD5F2C0928A43B3634A717EA7263AB430B68770EC7CAA4BFD746604F532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:00.742{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D94A1143A3EBF70692E61D86301AF3BF,SHA256=3457EFB85F60DE68E6267EDA4965A5A34D4AA3793DAC6C252F2D72081C71AC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:00.508{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C079CB5C33A893EE5F5827F9D4D8A07B,SHA256=A17CD29A7B828D93B9C174A040B35B2DD8845F7E4B83A2A8D2CABEDB0D724A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:00.460{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D387C69F217FA232FC569B884FA35E,SHA256=D458C6FF37C97F90AAD8651CE262635062DC7A36889291784561A0104DB94AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:00.163{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57DEFE7854B666DB3FD68DFE4113FA93,SHA256=C5874192656E6A2EF38A411AB76E418C10CE0E818FB66B97B615FAC80AC3D10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:00.163{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A842D6A2591FFB6FE8A63CDF738F29A7,SHA256=37996CFE1F5B6799BECEBFD39839866F177673FD4C924A835D72BB8DDECA31FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:01.460{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23172DD7B654F3C1DA531B2EB1D283C,SHA256=3B8A362F4C2326AA3012499C258EFF74A1012A75FA5B8E5F1EC3A2301481A83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:01.883{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC28386CCAB038BEEA21DD6FB03DF2A,SHA256=F341E1BD1ED8566A6AFC5994F8D7C11272D0B9EC4FE2EC8216B421F371B1EE9A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000673655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 15:31:01.727{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\notrar.exe2021-06-03 15:31:01.727 23542300x8000000000000000673654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:01.570{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293139929F7B2876230D0D4388D80080,SHA256=FB4EEDF23E7EB6D33F7F8777D525147B4CADE0382544007AFCB8716D67F37386,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:58.287{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50990-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000614353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:30:57.974{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50989-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:02.491{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B4FA1523B6D49FF2D676390B2FBDFA8E,SHA256=97A5D91F36D001A6659D8292EBAE963BA9F911452D46D2D3ABF7C5450EE3F9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:02.475{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D1DD91F79E552D6B1F411AA44896AA,SHA256=B7E0F5234E0C61F4437FF31544C4801103FA3684FB0F76AE69937B07E5AF5E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:02.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ADA7DD441EA747723153E57825E41EDF,SHA256=BCF3F83DDC70FF45E76F3EB3E2D65989C003E99AF8A2D092ECB9816F50A4D807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:02.602{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A021402C8272396DF2626E68D2801F,SHA256=F4EF4C2A646C3E0E98D110EB930C109BB9625002AEBB8E85BEE5C10667170318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:02.461{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:03.617{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35ECCBBA54B3C7C539E505339F180F8,SHA256=A897F9203C0D896F33F274DE4ED992E0501DE99156CAD3B5DE73E87ADA94CDF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:03.491{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDB917B5D6778C76896822F51122166,SHA256=E8CD20593843BFF703BEA984B27D4138A2082D8F55DF266F16BEF88AA8ECB32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:03.008{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E06633929A3AF05D53588B2FDCE6FD,SHA256=F09861A46ABE0E5CC4DE06233A04A5865903EAE9EBC1D0293E6DBD40B94561BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:04.633{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3E1B2329AB1B06819386AB227901E1,SHA256=2B2EDFFE2C06FA4E30BD371CDC110E09BDA03CC159DC9490E983BB05DD00047F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:04.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D75E8C176963463FBC23E6167EA5C0,SHA256=141C7B38E2C2858655E89EDA5063D8BC42FE8284FEA142BB52D65BD61FDBD81D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:59.898{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51937-false10.0.1.12-8089- 354300x8000000000000000673663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:30:59.585{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51936-false10.0.1.12-8000- 23542300x8000000000000000673662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:04.102{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F1F3A9817038BDB8EA3D2E3C02ABA08,SHA256=6027F287B47A8CE5E7ABDB6231244D7FC462A451E6ED85CC4C2796D2EDBBA96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:05.695{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F113B425881F0D19850C463D4110F998,SHA256=8BE121DDD46229B7416BFAEFE19DF3C167660466161D51F45880AFBE133E64AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:05.522{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8C8A3AEF15B5F88AE779FFDFB60C49,SHA256=654276CAAEBAFFB14DE09F181568C41C51CE4588C6893ED18A36604287CBBE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:05.352{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=195FC0D0594A02E7D25F5D811C0B29D0,SHA256=646CC9DC9BE12F5BE1AE077F8449615218CE47C676593D7AF2AEBDB60982B5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:06.711{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7084B304AD21F87D4547F60FD6229464,SHA256=E5AD522259EA1EE5BAA010FEF7B66374F497F05C274395D2D30AE1160C594DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:06.538{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2257025D4FB351128F7AC5D6B6F32C4A,SHA256=A998A8023F819937A81C4FE617A940552871943C7EA963F5DC55EF46E84CAB7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:02.601{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51938-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000673669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:02.601{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local51938-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000673668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:06.570{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=219E17AE3D139FED69F1AC16C649D9F9,SHA256=0665BBBDC2BBA38D92B5D4B0AC638366CDB89949004DC05FFFE62C03B61A4A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:06.147{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25AC3E3DABC195654B1AD8DE7A5A8619,SHA256=78C2CFA1C02100DD7BBCCBD0FCDD6EDA1CF36138C7BD34AECD1EB2F668B530B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:06.147{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57DEFE7854B666DB3FD68DFE4113FA93,SHA256=C5874192656E6A2EF38A411AB76E418C10CE0E818FB66B97B615FAC80AC3D10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:07.992{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAEDA6AA044F6543B75243276E3418CC,SHA256=5AB4534E5F53290A259660023D6563E1CD9C700B1A25F7631C2B3645024EEA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:07.711{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E5FA362A23A3F652FC2B8D010CBB32,SHA256=6280BDE98982C61058305A22FAA26AB2CA292F17748C66AE04387E1495E6698C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:07.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8A5C2211BB32463748DF57ACECA9E1,SHA256=AB69F636954074B7A503B8196C191796D9BCBDCF6BD5AA0A00B558C1827C5747,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:03.932{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50991-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:08.585{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A0EE8086870E35F20415E12ADBD28B,SHA256=615281AE8A9A736E5745704D64DAB2ABDA30F9E85094C688AEAD322F735EE231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:08.727{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A7A323D65F217C50B9D8D40156DE7F,SHA256=6E6DC3F4F3243194EB92632D56719EEAE78EECDAA750BCC1164593E31BA94FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:09.617{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F199EC19C868035C54DD3362C0793D,SHA256=FD6C74FBF6F957753896E1A3E22B0CA196596DC6C48A0C34FB48B24F348F08B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:09.742{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ED0AE84C7C3DE3F68ECB8D4643F7CC,SHA256=146918FA6254A9E75BEB883C22D873BF653D2FBD6CC3512FD6DFAB51EC83B9C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:05.569{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51939-false10.0.1.12-8000- 23542300x8000000000000000673675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:09.117{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C709A0084350865933F4AB2FB903F691,SHA256=17D927DCBC2DF5450A5A7C8678207E286372CB783507AEF26D3C82D91C6FD907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:10.742{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578F3559BC6615978CC86CDF95914830,SHA256=DFDB09BE1A2A27A37FD1A01A4358FF80A05E1163E1B5CF8A87842B35666A9E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:10.662{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAF9FA36AF22B306D63EF01EF33EB99,SHA256=74DC3F8EBAB600EE157654D5A0AC8BE30F8DB0C1F4886EDDBE59311574916F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:10.227{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8B1D63AF54D5DC87A175916C26B4D7,SHA256=03C1BA9451F3398DE02C5BDE701B7AAD740CA9EA21166F96B18A02A647BCFDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:11.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3336C75EF752BF935280083110B2B8,SHA256=09329E1435589A98D0041C134252ED725A2AFAF9CA12A4639A4621BA78CD14D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:11.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FF4A44AB223C6D4C72FDA6E253E1DF,SHA256=EC58AC1A2A0E9B402106D60936CEF6F643FA06F253FDA90990291C5446CD3B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:11.508{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AD65DFFECD1DB975727D0EEAFC635AA,SHA256=DD2D78971BA238B6BB2999249A0036EEAF8463DA0E849BCE92ED65EC39213BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:11.240{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9A4502FEC77A5E0206F6BED73F7F9B,SHA256=BD28F5D3A2337FCD312F92846506E1D68814BA4AA3AE8BEBED66D4C9E32089B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:11.240{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25AC3E3DABC195654B1AD8DE7A5A8619,SHA256=78C2CFA1C02100DD7BBCCBD0FCDD6EDA1CF36138C7BD34AECD1EB2F668B530B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:12.775{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C208B264745F6C2D719AB3FE968B03D,SHA256=5C952F13006070309D0A998930BAC34A2F66B754D2097AABB277942ED96067D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:12.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5B6B58286B89B52878E81080BF26B9,SHA256=88D203EB26C302422C2ED1AD9EE6B9F54ECB9CFF24B7C6CA671B53A499B2A25A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:09.027{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50992-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000673684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:13.781{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA06ED2D55E6D135FF5A6488DCDB6CE,SHA256=83C951E362CDFBB7A4A711B086F064A3D1B80C8F2E2B104408BC610B06C63DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:13.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7627F8CB69B15372AFFC662B3C3FDC,SHA256=C8337495BC9E7837BD82CCA56D449E43B0C52B07EEC7359E3B0CFC49F53DD574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:13.134{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A83B06296B24534158B9DA1141113BD9,SHA256=FDCEC1B5B34D828875EC315FC479A09BAA991F6883CE06A56C06C688741C2038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.947{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F5C2-60B8-4951-00000000C401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.931{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.931{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.931{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.931{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.931{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F5C2-60B8-4951-00000000C401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.931{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F5C2-60B8-4951-00000000C401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.932{D419E45B-F5C2-60B8-4951-00000000C401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66604C9CE1950E142DDF1292CB5C9B0,SHA256=1A5B3CF2D3B9746D0F619C34A84A8037EECE8B62982D939511D46E42953B43FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:14.711{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8907B8A9BF50460D1C628044A10C5F2,SHA256=BAE76A0DD3FBD9017224D71E66D808D0D4B67B48AA1C58FD319A2911B88293A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.303{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F5C2-60B8-4851-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.303{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.303{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.303{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.303{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.303{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F5C2-60B8-4851-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.303{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F5C2-60B8-4851-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.288{D419E45B-F5C2-60B8-4851-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:14.209{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=901CF35CA4F27ADC5D8714CD4E994A41,SHA256=CA82D4AA90CA8B268B1E5848A3A2FAC3E02EDD842DEAE6840402B1E0B1B3F01C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:11.552{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51940-false10.0.1.12-8000- 23542300x8000000000000000673714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.853{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078264AE1ECAEE3A9829CA80B6971FD1,SHA256=4EA4B58C5E1B2313669C2EE0DC257EA578A177D5E5F2FDD9F27F40EBCF1248DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:15.711{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4EBD9A580991B00776EECA8BA9910D,SHA256=74442C16CC5BB47D3DE0B4CF45C3C65871C0FF5EB1B3F4A770BC7A4FC408CF1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.728{D419E45B-F5C3-60B8-4A51-00000000C401}9922628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.556{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F5C3-60B8-4A51-00000000C401}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.556{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.556{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.556{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.556{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.556{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F5C3-60B8-4A51-00000000C401}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.556{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F5C3-60B8-4A51-00000000C401}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.558{D419E45B-F5C3-60B8-4A51-00000000C401}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.290{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5448A56C02DC0148360EA75044F55878,SHA256=982E960A29D4F9A322138A01646741A01CBD37F5B61EA603AE53B00B48D1F4C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:15.103{D419E45B-F5C2-60B8-4951-00000000C401}812580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.900{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F5C4-60B8-4C51-00000000C401}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.900{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.900{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.900{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.900{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.900{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F5C4-60B8-4C51-00000000C401}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.900{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F5C4-60B8-4C51-00000000C401}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.900{D419E45B-F5C4-60B8-4C51-00000000C401}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:16.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9CB434FF8111B79E9546678E87F57C,SHA256=BCFE5F81B694DBCB1ABF27E50CF20F61E45F57B332CAF977D5CB76153E70B369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.384{D419E45B-F5C4-60B8-4B51-00000000C401}57082068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.228{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F5C4-60B8-4B51-00000000C401}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.228{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.228{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.228{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.228{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.228{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-F5C4-60B8-4B51-00000000C401}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.228{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F5C4-60B8-4B51-00000000C401}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:16.229{D419E45B-F5C4-60B8-4B51-00000000C401}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:16.430{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=753B1FF6303CCB8F29CA73924E305530,SHA256=90FC7C00FEBB0886B6133AF95C9CA2D0657F9869E443383C88C61281B05F8D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:16.430{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9A4502FEC77A5E0206F6BED73F7F9B,SHA256=BD28F5D3A2337FCD312F92846506E1D68814BA4AA3AE8BEBED66D4C9E32089B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.915{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F935EEC608D743ECAF080C88F176281C,SHA256=22FA129911F3C2AB5C0995336FC8A1D82AED6012A8014FFEE28871F74FC77450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:17.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7FEFC480DBE1E9B19A4C0F0C3B4ED4,SHA256=CD9776B145152DB34FBABA068452BA07B6B14AF9FBE60DB89FEA64944308AE37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.572{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F5C5-60B8-4D51-00000000C401}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.572{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.572{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.572{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.572{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.572{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-F5C5-60B8-4D51-00000000C401}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.572{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F5C5-60B8-4D51-00000000C401}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.572{D419E45B-F5C5-60B8-4D51-00000000C401}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000673735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.072{D419E45B-F5C4-60B8-4C51-00000000C401}2160860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.056{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BED41E214F7BEFD65E6E8312871FCD8,SHA256=F4B6E707579952D5046BF435A7B7511332E93FD085967BF87F53CF4144AF5C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.056{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D872EFA7072F2F7F6E906FD733F7601,SHA256=FD0D5BABCCAFF70854CFD2E9CE2F0C7DCF193CD4B34BDB4948CA8D89A42329C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:14.043{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50993-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000673754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.947{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C2BAA8E5DA852D0E4601737439BAC8,SHA256=F4F4A12433E5A780EF51659608A22716D657F84B750F028EC9CC4C583DE299D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:18.774{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63898BA60F8F5C48E2566AC69F289E32,SHA256=48CC781914DA2BB5244591B2A52FBA8B1AFA141FB02298B3BEB8F9B2C3F352DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.212{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-F5C6-60B8-4E51-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.197{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.197{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.197{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.197{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.197{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-F5C6-60B8-4E51-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.197{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-F5C6-60B8-4E51-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.200{D419E45B-F5C6-60B8-4E51-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:18.197{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E7B834FA12A9D5E2B49362BCAFC9543,SHA256=D6006AD67889E4E9E0D355B022903900B34022A7F3E993B33B79EB47C9D42F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:19.958{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A028FD270366320FBA6919712B6AAE,SHA256=38CF0B8B97D82A9BBCC58A240120E4E1692001D1F0201F4C59AB6A80D49CB8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:19.789{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A05626DA045A3755297AD1CFA62F63,SHA256=7E30795CBB53C676E8A993D9043F766516B728F687FD807AB23E13E6F75AAE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:19.337{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2287F6A7F80691C549E644ECE76BB9A0,SHA256=F47B7AA14D6CB76734CCEBB033DF604DED42DC249245E33C5DEC20948C3D205B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:20.800{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D669029697A69B5F3C2F2B549313E9,SHA256=C65B892F7D487F837C67EFD4C5339B71F9BEDE61C17CC1D98043A58BF89EBE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:20.458{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACB3E330CF736F02AFB51A64A541E9AD,SHA256=7E59A244FBC178EB6698109DFA07BEBB28D530002A398A7866CA4A564E24A09D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:21.800{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1852B5D6DD4C8703463940F7A2C3577B,SHA256=E5BF32A73B0CEB78530B1327968CFCDE2EED89DCD04A3FE1F0325309DA2B6C82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:17.535{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51941-false10.0.1.12-8000- 23542300x8000000000000000673759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:21.489{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE75420D3BFB34DF7C4418F8E898D22A,SHA256=F05CFC92C7FA5E85E83070C6BB741F775A962C84530C65AC4223D94623FBE2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:21.145{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3042FDCC76FE7A3BA70D805E76BEC7D8,SHA256=A0354D8DE10E10F8B49C014D7F0C0920BD23CAD5046D5AABFA5C26BDE2762B6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:19.085{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50994-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:21.238{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=753B1FF6303CCB8F29CA73924E305530,SHA256=90FC7C00FEBB0886B6133AF95C9CA2D0657F9869E443383C88C61281B05F8D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:22.816{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5230B9711BEBE07D6EE255F13610B69E,SHA256=805FADD8E60AF5C8449DE7158280FB7990260EFA7D164E0CFFE7ADFEF7CDFFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:22.833{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCF9B074899D0041AEAE0B4E882FACF4,SHA256=AF3E2276F0E7358EC8FB6F1D96EE22101296779BD9D8B562ED4E56DD88B9642C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:22.161{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624A947E8097FB4DE329DE35FAF72A6A,SHA256=C4F8B4D28D5D7B1F78D6BD7F1605F9071F678BAFFA04F0E0745229C032EE0682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:23.832{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF2B1EAD21D72A76E994369C8F07874,SHA256=6447B4371941605F80C51CB351690243D5E4EA9F4513244844D08F7B993EDAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:23.864{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43EF0700DE9F2034CE1F9BB8C2573634,SHA256=9C14357E11D9909A5F933E2F6E4B918EEA0A1490917D68D2C1A4E7363AA4DE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:23.395{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8BFE74395EBED1D6EF77BA6EA36CF4,SHA256=4540A91DF4F680C7FC77CAFB831EBAED16895FA1AEB9C2E31AD4157889462B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:24.832{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4189402D7B624358B9763CC19F886AE,SHA256=CC1A48029914F83BCC31408E30BD4EAD914079BD5375CD50B987C71BEEB80403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:24.411{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A35FD46C800FEFBBF51422795CCAAC1,SHA256=4DA4CCC02DBAC7EC91172829593D6EA09283970568E53F9EBADC3E0CA3C5ABD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:25.832{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3C30AC5D0F9D4EBA06891400F5BE23,SHA256=842389440B6262693D78AE1772194E35C47A44B14B9B7B2D1E2902C4B3843FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:25.426{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6EF6A40EF6E2569D7EB792B463C9D8,SHA256=1E3B0197E42193E71AF871D2A45B84DF6ECD56BF89F0D042A30F4CDBFAF3EB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:25.098{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA0F29B2DD2688CEFECC167CB083ED4,SHA256=A94677405B033A9D9B1499D944B7B1155DB9AA502EAAE73DB0CFC59542CED834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:26.832{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4913E699EA067A72B7712A56D5BDDDC3,SHA256=164AD18B6FDE67B629DE366CD2103C9532F5B45651FFB4D03AD0E720281C19CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:26.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B541DB7171A12B59CAE3963CE5A6C5AC,SHA256=71FAC1A2E88E521BCDB80228307F740AD1A130499CB532D9449EB9F6FEF7DD9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:26.442{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD7C9121CAF964B3C34DCFE3067025C,SHA256=85801B1292B70D280BB880883F1DC47EA812764ED68DF102F0BAED93C6F69C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:27.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CA0C5EFE53D93365AF0EB252A2230A,SHA256=800068367762B9578AC1F2F190B3924D714BE1A7782C57A5D64B6F20281B4BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:27.458{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66347119E1D3A7552429DF26F704B77,SHA256=A6ED11921C305129B9D4E49AE23CD52E7043EA9A990BAECDD9D4551BF4930970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:27.847{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D21A55D3FDBE70F2FC9F6CDD719D34,SHA256=3437FE8048E5C7A2FA93AFF6BEC5BAD4C0C53D65D987C9487F5BAC5532E7ECFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:24.882{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50995-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:27.097{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68DDB0ADD55B1D138074079AE5D3E313,SHA256=CB49C24079B6C97CFDDAE242CCB8D0F8360FB68F388C99CA27CE48615093E915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:27.097{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BECE79034832D2101A5DBECE9A7BE2CE,SHA256=F1AF83DABCBFE7530A724A189B9B82F370189DDB501DC4F17DBFD085530AEF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:28.847{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F6565DA96F579F8021907E6FD570D2,SHA256=7E59A393BB6C2EC8A507677D95A12434F95476B64976A97E7D8B4B50B665750E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:28.895{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBDDFDF1164A50BCFB904A70A5EE5F10,SHA256=6EE8477ED7DE603C9B9E12616372EF1B1F06A9AB3D79A6A4BBA2E1A30E4211CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:28.598{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E4E4FF12D261847B620BDD681042AC,SHA256=DBAC05C01BD9B2861043AF7B3E98272C11535FC332E7825DDEA970596D20B077,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:23.519{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51942-false10.0.1.12-8000- 23542300x8000000000000000614418Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.847{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6395109EA09CF39D77DD4CC5D40AEF,SHA256=F771AB358B830A2B8BA6E931FB25474C5D36AB54A4286C14CF059243EB85B282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:29.614{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1E99E3420557885BEF10E652633714,SHA256=9C7A91FF47F1AA622A60EC710D05D7BD3664A022348BE119497941E6799830CA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000614417Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.238{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000614416Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.222{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614415Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.222{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614414Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.207{97C2ED32-7730-60B6-1600-00000000C501}12041340C:\Windows\system32\svchost.exe{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614413Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.207{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614412Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.207{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614411Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.207{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614410Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.207{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614409Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.207{97C2ED32-7730-60B6-1600-00000000C501}12041340C:\Windows\system32\svchost.exe{97C2ED32-F5D1-60B8-7E5B-00000000C501}5764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614408Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.207{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-F5D1-60B8-7E5B-00000000C501}5764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614407Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.175{97C2ED32-F5D1-60B8-7E5B-00000000C501}57641292C:\Windows\system32\conhost.exe{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.175{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-F5D1-60B8-7E5B-00000000C501}5764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.160{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.160{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.160{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.160{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.160{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.160{97C2ED32-9D3E-60B6-7A08-00000000C501}33641008C:\Windows\system32\ServerManager.exe{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000614399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.161{97C2ED32-F5D1-60B8-7D5B-00000000C501}4548C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000614398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.113{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=0C2DB3F23673DAD8B7745EA8792ACE93,SHA256=F79FFF3BBB2872DAE49E6F07730C77CE7A3472ECAAEB97CBD73AE1D1B6461C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614434Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.863{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7F236ACB221CFB63FA57A6820F29BD,SHA256=4403D340262FD00278938B180F0F7A8096B7E53222421065E72FEC05806C3343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:30.645{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE03664F24FF9864795EE43AC4F4EF75,SHA256=00A948C70780E22BB560FCCBC32B94F733ED6F45567632B3845E3AD3BAB53F3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614433Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:28.090{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50996-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000614432Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:28.089{00000000-0000-0000-0000-000000000000}4548<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local50996-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 10341000x8000000000000000614431Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614430Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614429Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614428Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614427Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614426Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614425Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614424Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614423Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.238{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614422Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.160{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68DDB0ADD55B1D138074079AE5D3E313,SHA256=CB49C24079B6C97CFDDAE242CCB8D0F8360FB68F388C99CA27CE48615093E915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614421Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.160{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-F121-60B8-DA5A-00000000C501}5268C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000614420Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.144{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0E542DB767CD6E7C891745519103ECC6,SHA256=C676478DD7BCE953484077B51F2CDF6A9B206200BD567A6212E96DDA1443D016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614419Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:30.144{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2D98C7885AA353F6C0FCC00CB28F48B2,SHA256=6A6D7FEF94DE8039E4F5F4867ECA7B4AB285CB8C402A5859EF2405C660884CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:30.036{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27DCBA69A2139CDD2670FAC4C957F7E5,SHA256=B5E52194B01BE97C0D038B03DE0C24318B0E3ABC25C7A230E17158D6F1106A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614435Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:31.863{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB403A280C82B643F18393B1CFE9BC5,SHA256=48109AE1DA7F83244F38F1B184076CA3DBF90C0AB7F178A0FAFA7687F007B8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:31.661{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9015211227CFB7E275B2FDE39562CBB,SHA256=2512DD432D4913B6FB2C5194EB7A039915241B0F71A3BEBC50C756657F8277F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:31.286{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DD0CDE74E6DEB92E72BB48C77D0A0F1,SHA256=BD9BC8A80CC0193D6D6C78807146F8DE446DB9B8E7D108E9930B05B0A94A745F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:32.723{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C737D704E58EC3AE4196374DB56457CF,SHA256=562A5636F142FC9C65D4E89A9E14CA7DD420FB70E0D13F37A74282050611877E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614438Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:32.863{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E1486CF0DEFEB529DC19CBD77284AB,SHA256=EB0B83F4BA44BD6763C374C99781BF18850DBFD306967A4927F176CA153A8B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614437Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:29.929{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50997-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614436Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:32.082{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4444B382CB00804B07ABEBFCD2AD0AB,SHA256=7593428F5CF90C73F4F346CFADC298C1DBB53DE9F9C15F2704BCB27F102DBC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:32.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4A6E5BBEA1E1894DA8FDB6DA337C311,SHA256=6A8E308BE1358C7AACE1FAF8C55CFD77C8A2DA0C03A4FB0A25FCDDE2272C22E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:32.317{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E556DF875FBF93CEE104DFE78C0ED415,SHA256=0766A9B10C232E7A1CE494414D4CFDA93917142D26B90E68935A7789927E1CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:33.942{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B8385C5FC9F17642F358EF41C82C48,SHA256=3CAA5D98D53BA61FA3B51F040A5F4CCF4B07F9A276FAE18242B2EA502D59EA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:33.911{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E013089B9DFF9273E0A776B70CE021,SHA256=2D7F7259739FF136E0E402F4074801FFD7065BD21F8981FC93A9E0F9E22BFCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614439Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:33.863{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97580720B973793115CA0A312BBCE471,SHA256=9C2678540C42DF016E3FF24E6FF4BADD32F627F05D14C25E091BAB54959491BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:28.691{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51943-false10.0.1.12-8000- 23542300x8000000000000000673786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:34.973{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F284B3D9A2D48CC016C9555DF3A8E57D,SHA256=245E370DB7FF05CF78B7E0D9EEE0FC444BF931C66189557391BAB8C76871A9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614440Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:34.879{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE579BB846922C02FEEF2C88DBDDFEEF,SHA256=9387DE8A508C97A33975C0C1AAE27A6276124C6BB29B3E451F3D8CA8C3461735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614441Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:35.894{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7964D0707E4BDB42517CBB2C8148CC4D,SHA256=21E6DFFAF62C1E55F1951640D99E1547AF101F05C1C70D7289E7D6399AAF3113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:35.067{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61D9AB19FAABD53160B9AF0A0F690E4B,SHA256=6AC232C9E24B27F442EDD76E52471D28EC549D73694DC62593B94B41F2C8A46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614442Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:36.894{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EEBF7AFC2F6B1008E3E61DB21341F1,SHA256=E132A99D5CE5DF606BCAB69D8467F61154B8B508DD3AC8DBD350329965F6EDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:36.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA8ADC0DFF394F27F7BCCD9F9EA71F1D,SHA256=18FE0F6BD2C7470D99DF6E034EBC27B402F911CB79CA732CCB6D6E9FBAE1F9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:36.083{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EC3C871AD1C9A921754F5774F763E4,SHA256=601E26339BB024967F176162D61DA660CAF4ABCBA96173C65F24C727E7C9C7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614443Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:37.894{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC57919B776136576ABBCA6AA78E5836,SHA256=582FF2387572455B82286D8C5A652291A8FEEF7643982D722671A9A91FD5CAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:37.317{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FA23DB4F6AA635427262022D5171958,SHA256=446FF6F5F0A68D7F5D74CDC0058C6A699DA5C0D82244EC8C66C2E2CE84C3F4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:37.098{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF9366EF54FD126F5DC203C6F7AB5D4,SHA256=3A64EAC5CD03ED155C391789FFF371D0F5A8A8DC5EC69752A2DF2E50842FE6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614447Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:38.941{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34292BD5AFB7839AC61606A237CB52C9,SHA256=E6A45F9C9FCDB9877ACD245B00AD31E8F75B71C83B8770DC9CB8D0A315167A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:38.473{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3ED4150BC6FC683CE4F932D5C935AA5,SHA256=78325A125F1D0D8403EE2E5BD765AA27EF4DA64219E157DFE5EF4081EC583D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:38.114{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9849CCBCE73F93C2A37F501E4291C8C7,SHA256=CF92186C5BA1AE86F250096CFA555C3A00479F70ED13DB58E9026B1F83D8D2AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614446Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:35.913{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50998-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614445Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:38.254{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9D6B81926D0C0880DF1A10860DBC52A,SHA256=5D0EC8F8862F0A5D398A2E3202942DE66EB8AAF7BDB9B7513FE0801BAAAA27BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614444Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:38.254{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F83C55D4515115020F12E9250B23B33A,SHA256=F0B2941832375828688175BEC5E3A7CFA264284C43DB1719449D2C4101161DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614448Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:39.945{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1F2151D48EA740D7A0268537D49F3D,SHA256=37BDBA417B8DBCE94500660A7DAF632429C8981D6E314CCA593603DF0C50BA87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:39.598{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6540A7A494FE88D660B2148DFD476C25,SHA256=D5EB85E0BEB27511D3910DC5CB2F64E3B48D07B9BE03B94656D80C5EB9E5D45E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:34.691{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51944-false10.0.1.12-8000- 23542300x8000000000000000673794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:39.129{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793E6181B08CEAC22CE0738B26908218,SHA256=4525CE7BACA4F58C72AFFC1155469EF30454B3161955ED41D6C5EDA287E7A28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614449Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:40.992{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AD0AC8068990729DC39727E64100BF,SHA256=C4C5EB080547445425CF884DB1398985808C1040AE1F9C199ACBE7F4F6487AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:40.852{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6799976B411A4B51B03C5F98D2F812EC,SHA256=269DF0CBF10AB8E16F1E596BDDB99D28152FD89F47CAF6EDBD233F0438900193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:40.134{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9751167C55716BCB6F80BF09565154,SHA256=4A79ABC129C58720DCFD1155A2A5BB047BBA6EDB3977E67FC1CB6EFFB25C1FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:41.149{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4536A62251AF90637DCE53CDE9754E,SHA256=FB4A2EC5BB35653B9E4A1C6DE2662148BD5E94DFEB780DF4502B4C2742F7B6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:42.321{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99681A4F2AE9A2A296FF87952383997E,SHA256=4AE23B42836FAA5030542A03E4807B8B89E1D7DCCDA205C08E2085362C35B194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:42.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BA7AF362980AA9B4BD686A98958029,SHA256=93C6E1C31D1B008EEF484D3EE518426A20C077859AF7AF6D7B655533C72FDFA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614450Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:42.023{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DD4CD73D7EB7EDF40BF494863F41CF,SHA256=7226BB5E2F06EF2B956E509196BB1DAB5C81A06D80760DF692973BBE0E747620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:43.477{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1315FBAEF612BDD1F0854AA40985D6C0,SHA256=AE4C49CE00B0D93A04E8ACD3DACCB00FC0FE60FE43CA1B70F8EEB75BC00F4A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:43.180{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5730678B170E2B86504A795BE23CC74,SHA256=C4C3277233E1700FB813D1FCC2C3C2A74128799B587609674866D8847E585987,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614454Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:41.105{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local50999-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614453Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:43.258{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13301C834B5F95BF832531E730C404F5,SHA256=6E30F1F5C9887BD11DC933EE16CE953C0EE3E1F7044FF6976AD6157D7D6D2DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614452Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:43.258{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9D6B81926D0C0880DF1A10860DBC52A,SHA256=5D0EC8F8862F0A5D398A2E3202942DE66EB8AAF7BDB9B7513FE0801BAAAA27BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614451Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:43.023{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE2C285E3DA276A48FBDBDABB492561,SHA256=2D1F5545096B30EF7391F7F7BBE1EE1919B8223BDA84D400AE17351850AD683C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:44.665{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F8D2DC198B151D02B5D9F1B6DC34CE3,SHA256=B6B61913967B789FD18BB7B799F141DD62A3FA93F62D44B17894967C93B9AEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:44.196{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BCD5283240A7E039A19D61EB241049,SHA256=B760AF1E86C2031A18E0B3C6FFEC069906D5A439CC0511D8582CE36B25A46B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614455Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:44.056{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386562006A18E28796DB5E6F1C1F710A,SHA256=FEAB86E4B1C312815855178B76A8987BD8D881F7D75A159D57DFF3788C1E92AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614456Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:45.071{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0148210D73CD5C2F5546072D67B2E53,SHA256=4F71A91E24AFFDD58B066838F59F1B0909B9743A85205EDFA523168B6338B3BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:45.837{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FE169B5DAE9B216CD7956AD9D693B27,SHA256=F7741249E3BE1A01A25E6608C6E96D4CABED6D51506C236574B427EBFA676E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:40.601{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51945-false10.0.1.12-8000- 23542300x8000000000000000673806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:45.212{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A7C66A0791F9D599D4BEDFC60DD6C4,SHA256=55E1D8F3C7511A90F6F61AD046718510C488A8BE64B3658311BCCB0F79D9FE67,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000614467Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000614466Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09bef2b9) 13241300x8000000000000000614465Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75885-0x2e27c4c0) 13241300x8000000000000000614464Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588d-0x8fec2cc0) 13241300x8000000000000000614463Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75895-0xf1b094c0) 13241300x8000000000000000614462Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000614461Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09bef2b9) 13241300x8000000000000000614460Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75885-0x2e27c4c0) 13241300x8000000000000000614459Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7588d-0x8fec2cc0) 13241300x8000000000000000614458Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 15:31:46.368{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75895-0xf1b094c0) 23542300x8000000000000000614457Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:46.118{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF0AE25DEFED8774232073A10522058,SHA256=72E43841931DB2A6E17BC834DB51838EC2F05ADE189AB4FE7C20469524D2305F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:46.227{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E149C04E8D30ACED3D6BD145846BF34,SHA256=D18BB89E3F1CB9E8E52914B65ABFB8491A8201D7ABCB5F90D2B5F4FADC98B5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614468Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:47.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856F5F35EAB7DBEEEEA36C2FA2186E34,SHA256=4B3A7E5723C78E77AEDBD952A9413E0DF589AFE852546993972F193F89AC23DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:47.243{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23140A1DD1D055E9F569D4292F07136,SHA256=8F53B29D37D7FED8AF188347CB6B2B5AC1011442CA09626893AE10E5D17DC404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:47.133{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20B400DA8001562B499B55BE45E2E9A0,SHA256=3B49426EA5518B456A446AD7A4117FD03890419CF59864DF57EFDA89E52DBB7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-78A4-60B6-BF02-00000000C401}39763932C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-78A4-60B6-BF02-00000000C401}39763932C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-F5E4-60B8-5051-00000000C401}7643912c:\temp\notrar.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|c:\temp\notrar.exe+4516|c:\temp\notrar.exe+8bfc|c:\temp\notrar.exe+a83a|c:\temp\notrar.exe+dfd38|c:\temp\notrar.exe+f3ca3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-F5E4-60B8-5051-00000000C401}7643912c:\temp\notrar.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|c:\temp\notrar.exe+4516|c:\temp\notrar.exe+8bfc|c:\temp\notrar.exe+a83a|c:\temp\notrar.exe+dfd38|c:\temp\notrar.exe+f3ca3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-F5E4-60B8-5051-00000000C401}7643912c:\temp\notrar.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|c:\temp\notrar.exe+4516|c:\temp\notrar.exe+8bfc|c:\temp\notrar.exe+a83a|c:\temp\notrar.exe+dfd38|c:\temp\notrar.exe+f3ca3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-F5E4-60B8-5051-00000000C401}7643912c:\temp\notrar.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|c:\temp\notrar.exe+4516|c:\temp\notrar.exe+8bfc|c:\temp\notrar.exe+a83a|c:\temp\notrar.exe+dfd38|c:\temp\notrar.exe+f3ca3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-F5E4-60B8-5051-00000000C401}7643912c:\temp\notrar.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+60bba|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|c:\temp\notrar.exe+4516|c:\temp\notrar.exe+8bfc|c:\temp\notrar.exe+a83a|c:\temp\notrar.exe+dfd38|c:\temp\notrar.exe+f3ca3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-F5E4-60B8-5051-00000000C401}7643912c:\temp\notrar.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+60ba8|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|c:\temp\notrar.exe+4516|c:\temp\notrar.exe+8bfc|c:\temp\notrar.exe+a83a|c:\temp\notrar.exe+dfd38|c:\temp\notrar.exe+f3ca3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.633{D419E45B-F5E4-60B8-5051-00000000C401}7643912c:\temp\notrar.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+60ba8|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|c:\temp\notrar.exe+4516|c:\temp\notrar.exe+8bfc|c:\temp\notrar.exe+a83a|c:\temp\notrar.exe+dfd38|c:\temp\notrar.exe+f3ca3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.571{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B876FD6A6FB4216441F8DF47429CF9BB,SHA256=BB3C823BE091B0E0D6220CA6252385E9A03D4540995F69F0519A1FD43C8F531D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000673847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:31:48.555{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exeC:\Temp\tmp\victim-files\hello.rar2021-06-03 15:31:48.555 10341000x8000000000000000673846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39763932C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39763932C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39763932C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39764344C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39764344C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39764344C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39764344C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.493{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.446{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.399{D419E45B-7530-60B6-1600-00000000C401}1268432C:\Windows\System32\svchost.exe{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.399{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.383{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.383{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.383{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.383{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.383{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.383{D419E45B-F5E4-60B8-4F51-00000000C401}70642112C:\Windows\system32\cmd.exe{D419E45B-F5E4-60B8-5051-00000000C401}764c:\temp\notrar.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.366{D419E45B-F5E4-60B8-5051-00000000C401}764C:\Temp\notrar.exe5.80.0WinRAR archiverWinRARAlexander RoshalWinRAR.exec:\temp\notrar.exe a -hpblue hello.rarC:\temp\tmp\victim-files\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F413B4A2242BB60829C9A470EEA4DFB6,SHA256=C0AE6E4FC0364C021FB7E22AF4E225C100B0F75B53DDDE7A8B1E4B51E5A252C2,IMPHASH=A216A28E31E7D06B2291DAC4FE0ED800{D419E45B-F5E4-60B8-4F51-00000000C401}7064C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\temp\notrar.exe a -hpblue hello.rar 10341000x8000000000000000673823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.352{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-F5E4-60B8-4F51-00000000C401}7064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.352{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.352{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.352{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.352{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.352{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-F5E4-60B8-4F51-00000000C401}7064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.352{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-F5E4-60B8-4F51-00000000C401}7064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000673816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.336{D419E45B-F5E4-60B8-4F51-00000000C401}7064C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c c:\temp\notrar.exe a -hpblue hello.rarC:\temp\tmp\victim-files\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000673815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:31:48.321{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\tmp\victim-files\encrypted_file.txt2021-06-03 15:31:48.321 11241100x8000000000000000673814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:31:48.305{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\tmp\victim-files2021-06-03 15:31:48.305 11241100x8000000000000000673813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 15:31:48.305{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\tmp2021-06-03 15:31:48.305 23542300x8000000000000000673812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:48.258{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209C3DDEEEE7F0A6469BF93E5DD544AE,SHA256=1373D6D4983C589BD107E42FF4AD781CF4AD39DC85AB769D6B10A9ADD8019A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614478Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.743{97C2ED32-F5E4-60B8-7F5B-00000000C501}60163708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614477Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.602{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5E4-60B8-7F5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614476Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.602{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614475Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.602{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614474Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.602{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614473Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.602{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614472Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.602{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F5E4-60B8-7F5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614471Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.602{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5E4-60B8-7F5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614470Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.603{97C2ED32-F5E4-60B8-7F5B-00000000C501}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614469Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:48.196{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118F483449B814FB48699E015CC93B60,SHA256=B919A7F2C3250B8948167F666620B76A8BD7CEA79BA7D6783D7241F9A8F673C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:49.727{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=038CB6AC4EFAC6DE307BB184E1D8B14A,SHA256=CB9EC0325DA26B002FC4CCDC560AF89234A59CF1B4F994A10652267FF1AB87AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:49.727{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6C4593C1465BD4A583455802D0383BE6,SHA256=8301A86395FD778645F2A111302BEE8178657E077483F2DCC4AD366BB187AB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:49.727{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952045021BB9C8EF990199BB373DFAA8,SHA256=084E7CEDB93D099DDF558E03FD26B5FB34160B3C380C872DB6047B0ABD4FDCD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614499Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.946{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5E5-60B8-815B-00000000C501}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614498Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.946{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614497Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.946{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614496Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.946{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614495Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.946{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614494Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.946{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F5E5-60B8-815B-00000000C501}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614493Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.946{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5E5-60B8-815B-00000000C501}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614492Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.947{97C2ED32-F5E5-60B8-815B-00000000C501}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000614491Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:46.934{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51000-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000614490Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.399{97C2ED32-F5E5-60B8-805B-00000000C501}59281996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614489Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.274{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5E5-60B8-805B-00000000C501}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614488Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.274{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614487Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.274{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614486Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.274{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614485Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.274{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614484Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.274{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F5E5-60B8-805B-00000000C501}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614483Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.274{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5E5-60B8-805B-00000000C501}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614482Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.275{97C2ED32-F5E5-60B8-805B-00000000C501}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614481Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.196{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459225023B0F3A67AD0763A545B15376,SHA256=FB08A1C7DCCE575A45CA52894AA20A23A37B889A35BE4DE21F648C02CF7D6799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614480Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.102{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9FD753C04475967A4B1D57574F5A6BA,SHA256=2F1241150FFC0288A7396F8B58F4DFED98B6CFEEC0385520ACFA563E39F1211D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614479Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:49.102{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13301C834B5F95BF832531E730C404F5,SHA256=6E30F1F5C9887BD11DC933EE16CE953C0EE3E1F7044FF6976AD6157D7D6D2DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:50.868{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E109A03A30FA19CA1691EF23B4408C5,SHA256=08AE760E5A012B9415444AC3E7BBBBC4E4AC9FDAA734742BBFF99EE9DD4C715C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:50.727{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0157C076BC1D43A9117E8C9C7A68AEEF,SHA256=5B864FF0A96672266E82495F29F9850F02EFDDA7F837420A9AEF4D6EFDB4770E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614510Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.446{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5E6-60B8-825B-00000000C501}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614509Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.446{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614508Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.446{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614507Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.446{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614506Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.446{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614505Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.446{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F5E6-60B8-825B-00000000C501}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614504Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.446{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5E6-60B8-825B-00000000C501}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614503Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.448{97C2ED32-F5E6-60B8-825B-00000000C501}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614502Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.274{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9FD753C04475967A4B1D57574F5A6BA,SHA256=2F1241150FFC0288A7396F8B58F4DFED98B6CFEEC0385520ACFA563E39F1211D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614501Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.196{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486EA0C3AEA02B20A3230327C8496B4C,SHA256=6236AD988B90CDF0CE47A18EC3C4BE195B535CB1DF7A41B100F3451F99687863,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614500Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:50.087{97C2ED32-F5E5-60B8-815B-00000000C501}56285180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000673868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:46.601{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51946-false10.0.1.12-8000- 23542300x8000000000000000673867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:51.743{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6605EA3A99586296E761F634057682D,SHA256=196F10C79DA4D158EC5B710382B3A3B216609302AAFEB49F39890396CE8DCA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614528Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.728{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5E7-60B8-845B-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614527Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.728{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614526Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.728{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614525Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.728{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614524Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.728{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614523Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.728{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F5E7-60B8-845B-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614522Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.728{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5E7-60B8-845B-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614521Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.729{97C2ED32-F5E7-60B8-845B-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614520Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.681{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB6C584B66A66589204C96CF5D4DF303,SHA256=5EA9ED760ECFE588917765B56E11C3EB6613EB292259DDD4986415642F9B666F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614519Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.212{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6005BAF88C1D3E8848405B01E5105C3,SHA256=997E52B96A5B04AFCD6F6172AB3632AC5F03FCE933075BCBAADDA3BBDF032831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614518Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.118{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5E7-60B8-835B-00000000C501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614517Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.118{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614516Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.118{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614515Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.118{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614514Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.118{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614513Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.118{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F5E7-60B8-835B-00000000C501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614512Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.118{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5E7-60B8-835B-00000000C501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614511Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:51.119{97C2ED32-F5E7-60B8-835B-00000000C501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:52.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF76AD8CE843E7F938B2BF6DD3E3108E,SHA256=533BF76C6608054ED7C6B45F3F60493791FC5CF642B1FC2F2F40302F3CCC970E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614539Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.946{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87537E76FB0924DFBE64B53966793E0A,SHA256=0D6BE404749B442E8282D920444CA9B022AEC1B30EDC4482CB0C06409CFBC668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614538Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.493{97C2ED32-F5E8-60B8-855B-00000000C501}48285216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614537Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.352{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F5E8-60B8-855B-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614536Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.352{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614535Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.352{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614534Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.352{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614533Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.352{97C2ED32-772F-60B6-0C00-00000000C501}7241984C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614532Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.352{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F5E8-60B8-855B-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000614531Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.352{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F5E8-60B8-855B-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000614530Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.354{97C2ED32-F5E8-60B8-855B-00000000C501}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000614529Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8A2E1DC67342A6B6081210AD0432F2,SHA256=92E72A558B3DFF15CD279254F018AD790C33225F23D254C3FA96AEDB4A63AEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:52.008{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9FCE13816508E70C265AC0922519D47,SHA256=435D6883F68E931588D0EDAAFCAA0E0ABBECB6ACD3EEC73C65E2A7B3BB02CB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:53.774{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CFF48568F76D4100CCAF3D865AE21D,SHA256=35DC0CBC8D025C41801305F785C9C9C774E7E0D6F1A3E54E51E649CFCE79993D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614540Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:53.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD90EBAC5A934ACF07DF87E5CEE6805,SHA256=5CD2556AD806CD63C09B99CE77B60A8D48749205924235200A9F89844813E6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:53.149{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC59AFB473358BD68622A76ECA37DD31,SHA256=562670B35186985026FCDA075130B02BB419CA7ED21046EE1BDE9D3FF43FB272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:54.774{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC1193214B5D6302098FC76416CD0CE,SHA256=809C25BD06B9704B62DCCC4639BE91BF6BF503E672CEE7273F182329DF48E23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614541Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:54.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00A8C7F431D21C55D9061FF0AE262D6,SHA256=35F881590DF56E9254D00317ADC19978FD6AE7BC0FFDEBFD92D1D7E3DB061BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:54.321{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92EDEBC57F4960C0344DF77D3C7DA092,SHA256=E1616091B3CEFDB65340E7884BABCC60DF880D60AA2C6310DAA52EB340A546CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:55.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644B2E9F8D7993CC7EC88C7EB4F69246,SHA256=E5426CC45C139120F4479D1597309FA6F94F0436C0E056ADDB4C4927A5795C94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614544Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:52.950{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51001-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000614543Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:55.243{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900F8598D69838D60402EEDB318A9301,SHA256=B8D9F55E592CC932EB4B3CD9A588F3444D6B5E886A75B5F0E867F2B6891BE005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:55.524{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83B93B58A5FFEECB1A8B17765EFB3665,SHA256=C2300A78FA26B60346C23B72F5F67AD1F8F75CDA22013120CBBC861C03794EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614542Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:55.118{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7E22DC43B5DAA378A9D9E7D8BA1EEA5,SHA256=CB958096EE4B79EE34D87101D1039CB4C4A4795FE0328E2CFD5906793AEA7BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:56.852{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7039DDBB3AE472CE1EBA0C77CB187F,SHA256=80BDCD34882AADCE439991629ECACEAC4CE370C76AF91211E1911852C85627C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614545Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:56.243{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC49317986870E501B6BF04D882CEE6B,SHA256=008E306B96A4B29934BEE2262FFB71A10B5C2EFCF45C0A3D53E006601AFE8F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:56.587{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D3890E959055134888649BB520FA50,SHA256=AAF5EBA33A0516C9BA9572E7BC6603FDA8699029247EA97AF5A48A8183AE3F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614546Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:57.259{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945A449704BD79528843ECCE1F4B7709,SHA256=7E215C64640D6106BF5CCA4BA97A867371D767EA026C36C6D8982B63157BA768,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:52.570{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51947-false10.0.1.12-8000- 23542300x8000000000000000614547Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:58.274{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316353534EB238817F7CDA2B612BD044,SHA256=A0C358C9A1493BB06F0A0C3D4F70D4111A88122E77020768171AAC44DA8D42ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.352{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.087{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F586D351A3819A9F043E297140B44B3,SHA256=E65E632A35F854FF74A028AE3A4763EB628B0FE67D5E764284159EBAE56905DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:58.040{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8A04AD33A085A51FAB880593ECD01C,SHA256=71A3BDB890EC0C925757AF48E20DC402AF8C94CEB1E1FFF3566E9CAF85F8F203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614549Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:59.477{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614548Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:59.290{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D6BA09FB1A549DC0F579298B214196,SHA256=D9249FF8A25ACE04CE340F9EA172E28B8CF3DF28B0297C308CDC3F83231B782A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:59.352{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C97819E2B8B721E3E337D3D0906A901,SHA256=6343AC0E540AD8CA2AE482891EDCFEBEB8DB0010B77B52AD06320325CE6ADD33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:59.352{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36781A2081ECCA4A43712DC24C8FAE3E,SHA256=1BA2FD43903A64E555047951AEFDE455C33014B2C5C5E7A5208795FB1979528A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:32:00.492{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FD5C760F6F6232F599AE80119EE8F29,SHA256=03BD3EE990C54D5C26328098EC0745BEBFA64BB19A9A4ECD7F6F25A6F79D5472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:32:00.367{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2D502BF4B5238639A56DF2225E57D7,SHA256=39A544D63A90B2B26587D32E5A1EC78E97886CF2E56E9B3C65951DB80AB7D584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614552Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:32:00.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50BDB15F2EF0D409C9D34DAB45A873BA,SHA256=870A8E629ACEB65846D9FA907D8E4165443FAA825A9FFD84A66E8E8BB4DB1C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614551Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:32:00.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=429A1979ABF87AD057F5A631B9E1758F,SHA256=C983D7423E93E67BC77AA5025B370E7AF5BB2851DE00B50FCF76128828A73F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614550Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:32:00.335{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82B6D759E73CE86F1DEAB6578B6E472,SHA256=DC0D842E1BBF2E707E4A685EC1EFA4C7A5AE1C403A15D468F8715CCA895DDBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:32:01.526{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B891A4F7EF07E620CBE04DC6FECD4595,SHA256=91EB9D60AED80C97308625E0F5BAE805429C3F7081A9BF27C5228E0396F9256A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:32:01.383{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBE01E2914F4FB38817643EE7CD437B,SHA256=D8BC9FC1F8549588143944F197853C8EAFABD7A64E23438C412148548503ABA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614554Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:32:01.366{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F696841013E3FFD94DFC4652A2B21ED8,SHA256=8C6F7AF9C59AC68957F72FD9B247B82DD1B391CE61CDFC0011868F23AB981B71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614553Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:58.309{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51002-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000673924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:31:57.585{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local51948-false10.0.1.12-8000- 23542300x8000000000000000673923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:32:02.664{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A4493BDC71416A4B43EF5D9C06C74C9,SHA256=CAA5B7E2488BE538167303543C8A897DADA4BB5EF93367564115E92EA1C1227D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:32:02.492{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 15:32:02.414{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CB3829A75E2F445471609E97997ECF,SHA256=13F0CA2B68A5E2CE4567B4F7C91997FD8BBCBEA720FC2D871E9BF5A081055B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614556Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:32:02.491{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=492C684AA717500D37299613FAD3B600,SHA256=55AD32BA1218BF84FE7073BBCCAF94E956A5B0063C00E8AF8CBA745BDFF1102D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000614555Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:32:02.366{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD1D0CA1C952C5FC7C874AAE0C7FE08,SHA256=A3DC4E70B6B1A957E9260B2BA7E510F046DB24CD42991DDB7A4D2D070A493A83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000614557Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 15:31:58.963{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51003-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-